BSides Canberra 2026

Password MisManagers: Hunting for Authentication Bypasses in Enterprise Password Managers
2026-09-24 , Main Track

Enterprise password managers hold the keys to the kingdom. Pop one, and you can instantly compromise every piece of infrastructure whose admin credentials were kept inside. So how well do these pieces of software hold up? In this talk, I'll walk through three different authentication bypass vulnerabilities I've found in self-hosted enterprise password managers used by Australian organisations. Each one allowing a user without access to walk on in as an admin and loot all the secrets. Along the way, I'll discuss overcoming two commercial code obfuscators, a fun bonus vulnerability that wandered straight out of a CTF and into production, and what defenders should actually do about all of this.

Aidan is a penetration tester and security researcher at Division 5. Over the years, he has tested most attack surfaces across most industries, with a particular focus on internal networks and critical infrastructure. Nowadays, he hunts for bugs that require a deeper dive then a traditional pentest permits. Outside of work, he creates CTF challenges for his local hackercons (BSides BNE and Crikeycon), and represented Team Oceania at the International Cybersecurity Challenge (ICC) in 2022 and 2023.