Results of Bitwarden security audit published

Martin Brinkmann
Nov 13, 2018

Bitwarden hired the German security company Cure 53 to audit the security of Bitwarden software and technologies used by the password management service.

Bitwarden is a popular choice when it comes to password managers; it is open source, programs are available for all major desktop operating systems, the Android and iOS mobile platforms, the Web, as browser extensions, and even the command line.

Cure 53 was hired to "perform white box penetration testing, source code auditing, and a cryptographic analysis of the Bitwarden ecosystem of applications and associated code libraries".

Bitwarden released a PDF document that highlights the findings of the security company during the audit and the company's response.

The research term uncovered several vulnerabilities and issues in Bitwarden. Bitwarden made changes to its software to address pressing issues immediately; the company changed how login URIs work by limiting allowed protocols.

The company implemented a whitelist that allows the schemes https, ssh, http, ftp, sftp, irc, and chrome only at the point in time and not other schemes such as file.

The four remaining vulnerabilities that the research term found during the scan did not require immediate action according to Bitwarden's analysis of the issues.

The researchers criticized the application's lax master password rule of accepting any master password provided that it is at least eight characters in length. Bitwarden plans to introduce password strength checks and notifications in future versions to encourage users to select master passwords that are stronger and not easily broken.

Two of the issues require a compromised system. Bitwarden does not change encryption keys when a user changes the master password and a compromised API server could be used to steal encryption keys. Bitwarden can be set up individually on infrastructure that is owned by the individual user or company.

The final issue was discovered in the handling of Bitwarden's autofill functionality on sites that use embedded iframes. The autofill functionality checks only the top-level address and not the URL used by embedded iframes. Malicious actors could therefore use embedded iframes on legitimate sites to steal autofill data.

Now You: Which password manager do you use, any why?

Results of Bitwarden security audit published
Article Name
Results of Bitwarden security audit published
Bitwarden hired the German security company Cure 53 to audit the security of Bitwarden software and technologies used by the password management service.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. Anonymous said on March 24, 2020 at 4:40 pm

    the iframe vulnerability is shocking, is it fixed yet?

    1. Anon5443 said on April 21, 2020 at 3:13 pm

      I want to know this as well.

      1. Anonymous said on October 17, 2020 at 7:06 am
  2. Darren said on November 14, 2018 at 12:54 am

    Just FYI for those interested – Bitwarden is a cloud based password manager only. You need an account with them to to use it.

    1. beemeup5 said on November 17, 2018 at 1:31 pm

      This is incorrect. Bitwarden stores all encrypted data locally on the device. The account is for securely syncing the data so that if your device is lost or damaged you don’t lose access to all your accounts. By syncing the data you are essentially creating a backup which can be accessed through the API with your account credentials.

      The account used for syncing can be self-hosted by a local or remote machine you control, so it is not necessary to rely or trust in Bitwarden’s own servers if you do not wish to. Bitwarden provides all the instructions needed to set this up. By self-hosting, the company behind Bitwarden could disappear tomorrow and you would still be able to use Bitwarden as usual (although there would be no new uodates).

      1. Diego said on July 31, 2019 at 9:21 pm

        Correct me if I’m wrong, but I believe you do need Bitwarden servers in either case. Even if hosting the data locally, the clients rely on the Bitwarden services to locate the locally stored data. For example, the Android App or Chrome Extension don’t have an option to say where the server is located. So, to find the server hosted in your own network, you still need Bitwarden servers.

      2. Sebastian said on August 22, 2019 at 11:56 am

        Both, app and extension, are able to connect to a self hostet server out of the box. You can set it before login into your account by entering the settings and entering your server ip etc.

  3. ShintoPlasm said on November 13, 2018 at 8:52 pm

    I’m still sceptical about the financial sustainability of this project, simply don’t get how it manages to survive with such low fees.

    1. nodata4u said on November 27, 2018 at 4:46 pm

      They aren’t greedy, and only use the funds to survive and keep the project going. Its the community that believes in open source software for everyone that keeps this project alive. The principle of the matter is we want security, that isn’t used as a platform to collect data for marketing purposes and profit, and that can be trusted by the community as a whole. Bitwarden has the same core principles. Its that simple. Just because they aren’t “Maximizing profits” doesn’t mean they won’t survive. Why is that so hard to understand?

      1. Sgt Freely said on December 20, 2019 at 10:43 pm

        Thank you I am glad someone can understand that. It’s the whole idea behind open source before the big corporations starting capitalizing on it. They have very low overhead, and yes I said they because it is a legit LLC, so they can get away with charging a very reasonable price for a great service. I’m even sure Code 53 worked at a way discounted rate because of that very reason.

  4. Ian Gently said on November 13, 2018 at 8:07 pm

    Caveat – the core infrastructure is written in C# using .NET Core with ASP.NET Core. The database is written in T-SQL/SQL Server.

    1. Clairvaux said on November 15, 2018 at 10:00 am

      Why is that a problem ? (Straight question, nothing implied.)

  5. Paul(us) said on November 13, 2018 at 4:34 pm

    Wow, what a read that Bitwarden conclusion after research document. I did not understand at least 60 % after the first read. And still, I am puzzling with at least 30% of the matter.
    But its good that there where a fresh pair of eyes on the matter and after reading this article I now a firm believer that there should be, even more, human power on this particular matter.

    I myself are a happy Waterfox (who uses a lot of cpu power with certain task compared with outher brouwsers), sometimes Chrome and usely Firefox KeePass 2.40 user. And with the help of I am still tweaking the settings from time to time.

    The only concern I really have is main Microsoft Internet Explorer 11 who I use twice or three times a year (I still not using M.s. Edge even with Global Auto-Type Hot Key) from which upto now I could not find, a KeePass intergration solution link. And after all this time I am thinking its not coming any more. So I am still using Lastpass 4.17.1 for the Ms. Explorer 11. Does your Martin or anybody knows a better solution or even mayby a KeePass soluiton for Ms.IE 11?

  6. jake said on November 13, 2018 at 12:22 pm

    I Tried Dashlane for about a year free premium trial then i switched Lastpass free.

    Few months ago i switched to bitwarden for good. Open source and trusted company.

    1. Anonymous said on November 13, 2018 at 8:16 pm

      The company is just one person, iirc

      1. Barb said on November 14, 2018 at 4:14 pm

        If you want lots of people, go with something like M$ = big = good. Right ?

      2. Sgt Dan said on December 20, 2019 at 10:36 pm

        That;s hilarious for real….. Microsoft is one huge security breach and it’s partly because of it’s size. OpSec – The smaller the circle of need to knows, the more chances of maintaining OpSec. Operational Security for other that don’t know the term.

      3. Heimen Stoffels said on November 14, 2018 at 11:37 am

        Mostly, yes, but he’s not the only one in the company. And yes, it really is a company: 8bit Solutions LLC.

  7. Moloch said on November 13, 2018 at 11:53 am

    I was using Keepass with the firefox extension, but since i read this article i tried Bitwarden and its so much easier to use really, the keepass browser extension is tedious if you have multiple logins for a website, the main application has a certain plugin that needs an update which is a hassle to find, the generator is quite shitty to use as well, it used to be great but since the extension changed to a webextension it was annoying to use.

    Thanks Martin, got a new password manager now :)

  8. Womble said on November 13, 2018 at 11:04 am

    It’s obviously great that they employed a few security professionals to find the issues that the “million eyes” open source community didn’t.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.