Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

As concerning as the exploit is, Bitwarden's purported response is even more so; FTA:

> I've reported the issue to Bitwarden previously, however it was marked out of scope as it belongs to one of these categories:

>> Attacks requiring physical access to a user's device

> or

>> Scenarios that are extremely complex, difficult or unlikely when utilizing already compromised administrative accounts, self-hosted server, networks or physical devices which would render much easier and alternate means of compromising the data contained within Bitwarden

> This is however not entirely true: only the device-local encrypted vault data needs to be accessed. If accessing device-local data is outside of the threat model, why are we encrypting these data at all? We might as well store them in plain text.



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: