Mikina

Hello!

I've recently stumbled upon an amazing blog about getting credentials from Bitwarden vault through DPAPI and Windows Credential Storage, and what suprised me is that any low-privileged process can just ask for all information in Credential Storage, without requiring any user input (the article discusses it in the second half, even though the first half is about abusing DA credentials), through the CredEnumerateW WinApi call.

Since that vector was pretty interresting, I tried running their PoC for listing the cred storage on my, and several colleague machines, and was surprised that every machine had domain account credentials listed in plaintext, that could be grabbed by any low-privileged process just by calling this WinAPI.

I suspected that it's because of Outlook or Teams, because I found articles from few years ago mentioning that they do get saved there. However, one colleague did not have his credentials there, even though he was using Teams and Outlook, and had his password saved.

So, how did that password get there? Why most people we tried the PoC with do have a domain password saved, but some do not? Or is it because of Windows Hello? I'd love to get some kind of solution/recommendation about how to avoid having your password, in plaintext, in such an insecure space. Or was I dumb enough to save it into Edge somwhere, and have promptly forgotten about it?

And more importantly - how this isn't a pretty severe vulnerability, and is considered "as designed" by Microsoft? The fact that any process can just ask for your credentials is mind-blowing, plus it isn't even detected by EDRs we've tried it with when discussing it with our SoC.

There is one argument I've seen missing in most of the de/federation discussions, that I think should be mentioned, and warrants it's own discussion.

I've seen a lot of people mentioning that defederating with Meta means we have broken the promise of Fediverse, that you can use one account to interact with whatever service you choose, and that it should be inclusive.

But I don't agree that's the main idea. There is something that's more important, and to make sure I'm not misinterpreting it, I'll just directly quote various websites about the Fediverse I've found (I was just taking top results for Fediverse on DuckDuckGo, but I did select only the parts that are the most important point for me personally). But I do concur, I was not able to find a single source of truth, and I'm not really sure how credible the resources are, so please disagree with me if it's wrong or I've chosen some no-name site that just matched my rethorics.

https://www.fediverse.to/ has the following sentence as the main hero header:

The fediverse is a collection of community-owned, ad-free, decentralised, and privacy-centric social networks.

Each fediverse instance is managed by a human admin. You can find fediverse instances dedicated to art, music, technology, culture, or politics.

Join the growing community and experience the web as it was meant to be.

Another search result is for fediverse.party, which has the following quite in https://fediverse.party/en/fediverse/ :

Fediverse (also called Fedi) has no built-in advertisements, no tricky algorithms, no one big corporation dictating the rules. Instead we have small cozy communities of like-minded people.

The page also mentions some link for knowledge about the fediverse. Some of them are only tutorials about how to join, but there's also https://joinfediverse.wiki/What_is_the_Fediverse%3F , with the following part:

How does it compare to traditional social media?

...

Morals

• Traditional social media is neither social nor media. It is not made for you, it is made to exploit you and it is full of misleading ads and fake news.
• This is because the aim of traditional social media is to make a whole lot of money.
• The aim of the Fediverse is to benefit the people.
• The aim of traditional social media is to control and steer the users.
• The aim of the Fediverse is to empower the users to control the Fediverse.

I wasn't able to find more websites directly about the fediverse, and I did not want to quote random articles. But for completion sake, here is a list of FAQ/About sections of websites that are about the Fediverse, but don't directly support or imply the point of view I was trying to make (one that can be best summarized by the Morals in the last quite):

• https://fediverse.info/frequently-asked-questions
• https://fedi.tips/what-is-mastodon-what-is-the-fediverse/
• https://framatube.org/w/9dRFC6Ya11NCVeYKn8ZhiD
• https://en.wikipedia.org/wiki/Fediverse
• https://the-federation.info/

The split seems to be 50:50, but at least for my DuckDuckGo search results, the https://www.fediverse.to/ is the first result you find, and that one is pretty clear about what Fediverse should be. I wanted to start a discussion about what do the users here see as a main selling point of the fediverse, and whether morals and non-profit nature of the instances is important to most of the users as it is to me, or whether you'd rather have interconnectness and inclusivness.