We will see when the attacks are public, a lot of the malicious server attacks we have seen in the past were kinda of overblown. Not discounting OP but it is very easy to get into clickbait territory.
caveat not properly addressed in the blog post: all "attacks" are assuming full takeover of web servers, which is certainly a scenario that should be protected against, but isn't really a vulnerability unless chained with something else.
almost all online services would be "vulnerable" in this way - take almost any login system. an RCE on a system hosting a login page would obviously be vulnerable to account takeover
Enough said. This kind of stuff should be offline only. If you need to access your password database on multiple devices, set up a LAN and/or a Wireguard tunnel for remote access.
Storing encrypted files is the best use case for the cloud. There's absolutely zero reason to set up your own wire guard tunnel if the file is encrypted. You can even throw it on Google drive, if you want.
The article is nearly useless for users of the software who want to know how their data may have been affected. The researchers' website is more descriptive, especilly wrt specific findings.
I only want to know if BW01-05, 07, 10-12 and have been addressed. 06 is very minor and known, and 08-09 only appear to apply to organization accounts.
16 comments
[ 5.0 ms ] story [ 36.2 ms ] threadThe main issue with these managers. I use an encrypted text file and Emacs, nothing on the cloud for me.
There are certain types of data I prefer to have complete control over. Passwords, no matter how encrypted they claim to be, are top of the list.
The researchers demonstrated 12 attacks on Bitwarden, 7 on LastPass and 6 on Dashlane
almost all online services would be "vulnerable" in this way - take almost any login system. an RCE on a system hosting a login page would obviously be vulnerable to account takeover
better link here (the technical details): https://zkae.io/
Enough said. This kind of stuff should be offline only. If you need to access your password database on multiple devices, set up a LAN and/or a Wireguard tunnel for remote access.
https://zkae.io/
Just make sure you have backups