‘Bitwarden’ Password Manager Follows Risky Updating Practices
Published on September 22, 2020
- ‘Bitwarden’ can push updates to users remotely, changing the code of the app without involving the user.
- Some people see this as an absurdly risky practice, but the app sees it as a standard approach for contemporary software projects.
- The risk of having one of the developers going rogue and planting backdoors to the entire userbase is there, though.
Security researcher Jeffrey Paul has discovered a worrying aspect of how Bitwarden updates work and shared his thoughts on this GitHub post. According to the researcher, the popular password manager’s desktop application can automatically download updates, which is considered a security-enhancing feature.
Those updates can replace the app’s code remotely, and without ever asking the user to confirm the action, so the process works in the background without generating any alerts. For this to work, the developers of Bitwarden have full remote code execution rights over the app.
It may sound like this happens for the end-user’s convenience and safety, and many would opt to see it as such - but it comes with dire risks, without a doubt. Would you blindly trust a remote team of developers if they could plant a backdoor on your Bitwarden installation any time they chose?
We’re not saying that Bitwarden’s developers aren’t ethical or that they have ill intentions. Still, there’s always a possibility of having coercion cases, or even hacking attacks that would compromise Bitwarden’s infrastructure. This could result in all passwords and data stored in the app getting exfiltrated to the actors, whoever these may be.
As the researcher points out, anyone interested in a Bitwarden user’s secrets could kidnap a developer and threaten them, or just blackmail them remotely, or pay them to do it. There are many ways to “convince” a developer to plant a backdoor onto the computer of a specific target. Or even better, steal all data from the entire Bitwarden userbase at once by simply sending out a malicious update. Until the rest of the team realizes and reverses the action, everything will be already gone.
Bitwarden has responded to these allegations by saying that they see auto-updating as an integral and critical security component that 99.9% of its userbase appreciates. They also pointed out that there has never been a case where anything nasty was introduced by these auto-updates - which, for them, proves that there’s no risk or suspicious intentions. These updates go through a ‘testing, review, and approval’ process, so no single developer can send them out independently of the rest of the team.
Moreover, Bitwarden reassured its users that its products and services are vigorously tested by third-party auditors, although this wouldn’t include updates, of course. Finally, they promised to add a way for users to toggle automatic updates to “off,” taking the risk themselves if they prefer it that way.
Read More:
- Dropbox Is Preparing to Launch a New Password Manager App
- Trojanized Discord Client Grabs Passwords and User Tokens
- Chinese Vendor of OLT Devices Loads them with Firmware Backdoors
- Beware of Fake Zoom Installers Dropping the “Devil Shadow” Botnet
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular