• Onno (VK6FLAB)
    link
    fedilink
    English
    arrow-up
    20
    arrow-down
    1
    ·
    5 months ago

    Unless I misunderstood, the attacker already needs to have access to your machine. If that’s the case, you have much bigger problems.

    • krellor@fedia.io
      link
      fedilink
      arrow-up
      11
      ·
      5 months ago

      Yeah, it sounds like the first exploit required your vault to be unlocked so that a malicious process pretending to be a legitimate integration like a browser plugin could request credentials, and the second one required installing an out of date version of the app.

      Good that it is all patched, and that it wasn’t a remotely exploitable issue.

      • P03 Locke@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        5 months ago

        Yeah, it sounds like the first exploit required your vault to be unlocked

        That barely fits the requirements to even be called a vulnerability.

        “Sir, this safe lock is horribly insecure because all it takes for somebody to get access to the safe is to have the owner invite an intruder over to his house, unlock the safe, and the intruder can barge right in!”

        I’m all for broadcasting vulnerabilities for services that deserve it. But, taking two of the thousand unrated CVEs that appear each year, slapping on a clickbait headline, and trying to scare people into not trusting password managers is a load of shit. The only reason this trash got upvoted is because this community has a massive hard-on for locally-controlled password stores, without acknowledging the negatives.

        • krellor@fedia.io
          link
          fedilink
          arrow-up
          3
          ·
          5 months ago

          One thing to keep in mind about how these vaults work, is you often unlock them and then they stay unlocked for a short period of time, like 5 minutes. So if you do compromise a system and can detect when it is unlocked, you have a decent window to programmatically extract credentials.

          That said, it requires that your system has already been completely owned, pretty much. At that point, it could potentially log keystrokes and clipboard, and get credentials, including your master password.

          • P03 Locke@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            2
            ·
            5 months ago

            Right. If you have malware on your computer, you might as well assume that every part of the computer, and everything it can connect to, is compromised.