Popular password manager could have a critical vulnerability:
A security researcher has discovered a new vulnerability in a popular password manager that could allow for remote code execution.
The password manager in question is Bitwarden and the vulnerability resides in the company's desktop app which automatically downloads updates and replaces its own code with these updates without user intervention.
Co-founder of Keytern.al Jeffrey Paul argues that the company's developers could leverage its automatic updates to install backdoors into every single installation of the password manager and steal all of the passwords stored in every desktop user's database.
In a post on GitHub, Jeffrey Paul provided further insight into the fact that Bitwarden would grant its developers full remote code execution, saying:
"The fact that, of all things, a password manager would grant FULL REMOTE CODE EXECUTION to its developers is insane. The very fact that you would ship a feature like this means you are in no way qualified to hold keys or authentication credentials that allow you to publish a new version that could, at your sole option, backdoor everyone's installations and steal all the passwords of every single user of this software."
Paul also makes the point that a third party could convince Bitwarden's developers to add a backdoor to the company's password manager. For instance, if someone had information on the developers, they could blackmail them into adding a backdoor or they could even pay them to do so as well.
(Score: 4, Touché) by c0lo on Wednesday September 23 2020, @02:37AM (3 children)
Any indication that hasn't already happened?
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by NateMich on Wednesday September 23 2020, @02:46AM
No, and we guarantee it will be in about 24 hours.
(Score: 2) by c0lo on Wednesday September 23 2020, @03:50AM (1 child)
I looked a bit closer. The project prides itself as being open source, with the repos here [github.com]
It's:
It seems that, with a bit of leaning, it can be setup on something under your control (whatever meaning you choose for "your control"). Of course it will be more expensive than paying them for the service, but higher security with a price.
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 4, Informative) by richtopia on Wednesday September 23 2020, @04:01AM
I run my own Bitwarden server for my family. There is a Docker container that makes setup very easy: https://hub.docker.com/r/bitwardenrs/server [docker.com]
The ability to run your own server is why I selected BW instead of the other alternatives. It is difficult to identify the lowest risk manager, and I doubt I could convince my family to use a manager that isn't sync'd between their devices. Running your own server adds some security through obscurity, which made my decision.
I do not run the desktop app. Bitwarden has a web UI but most of the time we use the browser extension, which does not seem to have this vulnerability.
(Score: 5, Insightful) by fishybell on Wednesday September 23 2020, @02:44AM (3 children)
This article feels like a troll. It's like saying automatic updates to your OS or browser could inject malicious code. This is fundamentally a problem with any piece of software.
To say the least, this is old news [cmu.edu]. At some point in time you have to trust some parts of your system, or not use a computer at all.
(Score: 5, Insightful) by Runaway1956 on Wednesday September 23 2020, @03:13AM (2 children)
Trust but verify? I'm glad that there are people who are watching the system. I'm glad that there are people publishing their findings, and identifying those software and systems that cannot be trusted. Of course, it can get redundant, trying to identify the parts that cannot be trusted.
Microsoft has injected malicious code many times through updates. When AMD's Athlon XP chip was new, I experienced it personally, when Windows XP went into an endless rebooting cycle after an update. Similar has happened several times since then. Those were accidents, but they were still malicious code that crippled machines.
Worse, is the introduction of Windows telemetry, and eventually, forced upgrades to Win10. If you think about it, there's a lot of malicious code running on a Windows machine.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 1, Redundant) by c0lo on Wednesday September 23 2020, @03:52AM
Go verify [github.com], they are open source.
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 1, Insightful) by Anonymous Coward on Wednesday September 23 2020, @02:41PM
But again, calling the developers of Bitwarden "insane" for having a mechanism to provide security updates that could be abused is absurd. What alternative are they proposing, software without an update mechanism? "You have to get it perfect on the 1.0 release, because that's it. Any discovered security flaws will never be patched."
Either the security researchers or the article writers or both are just seeking publicity.
And to be clear, LastPass, Dashlane, and other password managers all have built in update mechanisms too. The horror...
(Score: 1, Touché) by Anonymous Coward on Wednesday September 23 2020, @03:01AM (2 children)
Jeffrey Paul is the attacker in this story?
From what I can see, this app allows auto-updates. I mean, just like everything else on the internet today. Of course, this is a bad thing, isn't it -- because every user that I know manually verifies every update, looking at the changelog and comparing that to an analysis of the released binaries.
Yes, a severe lapse indeed, and a failure to pay the security "researcher" who has only the "best interests" of <something> at heart.
(Score: 2) by Runaway1956 on Wednesday September 23 2020, @03:20AM (1 child)
My machine doesn't do automatic updates. I suppose I could search around, and figure out how to make the machine update automatically, but I don't want to. I launch one of my package managers, update the package lists with apt-get update, then browse the available updates and upgrades. TBH, I DO NOT inspect every change log on every piece of software. But, I do browse through the update list, browse some of the change lists, and decide what, if anything, I want to update.
This really should be the default behavior of all operating systems, as well as applications installed on the system.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 2, Interesting) by Anonymous Coward on Wednesday September 23 2020, @03:28AM
As a follow-up, it would appear this is an infrequently-requested feature: https://community.bitwarden.com/t/add-an-option-to-disable-update/8123 [bitwarden.com]
And also a known "bug" since well before this person raised an article about it. Security researcher is behind the user community, oops.
(Score: -1, Troll) by Anonymous Coward on Wednesday September 23 2020, @03:18AM (1 child)
omg this sites articles are liek trash im quitting
(Score: 2) by c0lo on Wednesday September 23 2020, @03:59AM
Do it already, stop spamming [soylentnews.org] us.
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 0, Funny) by Ethanol-fueled on Wednesday September 23 2020, @04:05AM (2 children)
Did you all see the NBA games with the Black minstrels dressing in drag with doilies around they necks? Like, sports radio says that unlike other leagues the NBA is run by the players. Nope! It's Run by Adam Silver and the Jewish team owners, [duckduckgo.com] who believe that Black Lives Matter only up to the point they'll accept pre-approved slogans they had no say in, and forced transsexualism. And if not, we'll make their Anti-Semitic careers disappear as quickly as that of Nick Cannon.
I hate to see Jews humiliating Black people. I really wish that the Blacks would see who their real enemies are, and have been, since the slave days of America. But dangle a few million bucks in front of anyone's nose and they'll ruin it in the future for any hopeful minorities to seek a future providing for their families playing pro sports. Once you turn one Black or Mexican into a crab, then they'll be more than willing to pull down all other crabs they see trying to escape from their bucket.
(Score: 0) by Anonymous Coward on Wednesday September 23 2020, @06:21PM
yes, this Marxist BLM ploy is typical Bolshevik Jew subversion.
(Score: 2) by hendrikboom on Thursday September 24 2020, @01:20AM
Please distinguish between transsexuals and cross-dressers.
(Score: 0) by Anonymous Coward on Wednesday September 23 2020, @05:57AM (1 child)
Which one is more informative, more descriptive? What is the purpose of a title again?
CHANGE THE TITLE NOW.
(Score: 0) by Anonymous Coward on Wednesday September 23 2020, @06:16AM
Thank you Arik the pedant.
Titles titillate.
:)
(Score: 2) by DannyB on Wednesday September 23 2020, @02:21PM (1 child)
Wear the t-shirt inside out.
Now if you need to know a password, you can stretch the neck open a bit and peek down inside to read your shirt.
Alternately, untuck shirt from pants and roll it up to find the password you need.
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 0) by Anonymous Coward on Wednesday September 23 2020, @10:12PM
Attracts too much attention. Instead, sew the penis to the forehead.
(Score: 0) by Anonymous Coward on Wednesday September 23 2020, @07:17PM
They can install whatever they want via automatic fuckups, which means a system with automatic fuckups of any kind enabled can be considered compromised by default. Stealing passwords via a "rogue update" should be fairly low on the agenda when automatic fuckups are concerned.