Results of Bitwarden security audit published
Bitwarden is a popular choice when it comes to password managers; it is open source, programs are available for all major desktop operating systems, the Android and iOS mobile platforms, the Web, as browser extensions, and even the command line.
Cure 53 was hired to "perform white box penetration testing, source code auditing, and a cryptographic analysis of the Bitwarden ecosystem of applications and associated code libraries".
Bitwarden released a PDF document that highlights the findings of the security company during the audit and the company's response.
The research term uncovered several vulnerabilities and issues in Bitwarden. Bitwarden made changes to its software to address pressing issues immediately; the company changed how login URIs work by limiting allowed protocols.
The company implemented a whitelist that allows the schemes https, ssh, http, ftp, sftp, irc, and chrome only at the point in time and not other schemes such as file.
The four remaining vulnerabilities that the research term found during the scan did not require immediate action according to Bitwarden's analysis of the issues.
The researchers criticized the application's lax master password rule of accepting any master password provided that it is at least eight characters in length. Bitwarden plans to introduce password strength checks and notifications in future versions to encourage users to select master passwords that are stronger and not easily broken.
Two of the issues require a compromised system. Bitwarden does not change encryption keys when a user changes the master password and a compromised API server could be used to steal encryption keys. Bitwarden can be set up individually on infrastructure that is owned by the individual user or company.
The final issue was discovered in the handling of Bitwarden's autofill functionality on sites that use embedded iframes. The autofill functionality checks only the top-level address and not the URL used by embedded iframes. Malicious actors could therefore use embedded iframes on legitimate sites to steal autofill data.
Now You: Which password manager do you use, any why?Advertisement