Results of Bitwarden security audit published - gHacks Tech News

Results of Bitwarden security audit published

Bitwarden hired the German security company Cure 53 to audit the security of Bitwarden software and technologies used by the password management service.

Bitwarden is a popular choice when it comes to password managers; it is open source, programs are available for all major desktop operating systems, the Android and iOS mobile platforms, the Web, as browser extensions, and even the command line.

Cure 53 was hired to "perform white box penetration testing, source code auditing, and a cryptographic analysis of the Bitwarden ecosystem of applications and associated code libraries".

Bitwarden released a PDF document that highlights the findings of the security company during the audit and the company's response.

The research term uncovered several vulnerabilities and issues in Bitwarden. Bitwarden made changes to its software to address pressing issues immediately; the company changed how login URIs work by limiting allowed protocols.

The company implemented a whitelist that allows the schemes https, ssh, http, ftp, sftp, irc, and chrome only at the point in time and not other schemes such as file.

bitwarden audit

The four remaining vulnerabilities that the research term found during the scan did not require immediate action according to Bitwarden's analysis of the issues.

The researchers criticized the application's lax master password rule of accepting any master password provided that it is at least eight characters in length. Bitwarden plans to introduce password strength checks and notifications in future versions to encourage users to select master passwords that are stronger and not easily broken.

Two of the issues require a compromised system. Bitwarden does not change encryption keys when a user changes the master password and a compromised API server could be used to steal encryption keys. Bitwarden can be set up individually on infrastructure that is owned by the individual user or company.

The final issue was discovered in the handling of Bitwarden's autofill functionality on sites that use embedded iframes. The autofill functionality checks only the top-level address and not the URL used by embedded iframes. Malicious actors could therefore use embedded iframes on legitimate sites to steal autofill data.

Now You: Which password manager do you use, any why?

Summary
Results of Bitwarden security audit published
Article Name
Results of Bitwarden security audit published
Description
Bitwarden hired the German security company Cure 53 to audit the security of Bitwarden software and technologies used by the password management service.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Womble said on November 13, 2018 at 11:04 am
    Reply

    It’s obviously great that they employed a few security professionals to find the issues that the “million eyes” open source community didn’t.

  2. Moloch said on November 13, 2018 at 11:53 am
    Reply

    I was using Keepass with the firefox extension, but since i read this article i tried Bitwarden and its so much easier to use really, the keepass browser extension is tedious if you have multiple logins for a website, the main application has a certain plugin that needs an update which is a hassle to find, the generator is quite shitty to use as well, it used to be great but since the extension changed to a webextension it was annoying to use.

    Thanks Martin, got a new password manager now :)

  3. jake said on November 13, 2018 at 12:22 pm
    Reply

    I Tried Dashlane for about a year free premium trial then i switched Lastpass free.

    Few months ago i switched to bitwarden for good. Open source and trusted company.

    1. Anonymous said on November 13, 2018 at 8:16 pm
      Reply

      The company is just one person, iirc

      1. Heimen Stoffels said on November 14, 2018 at 11:37 am
        Reply

        Mostly, yes, but he’s not the only one in the company. And yes, it really is a company: 8bit Solutions LLC.

      2. Barb said on November 14, 2018 at 4:14 pm
        Reply

        If you want lots of people, go with something like M$ = big = good. Right ?

  4. Paul(us) said on November 13, 2018 at 4:34 pm
    Reply

    Wow, what a read that Bitwarden conclusion after research document. I did not understand at least 60 % after the first read. And still, I am puzzling with at least 30% of the matter.
    But its good that there where a fresh pair of eyes on the matter and after reading this article I now a firm believer that there should be, even more, human power on this particular matter.

    I myself are a happy Waterfox (who uses a lot of cpu power with certain task compared with outher brouwsers), sometimes Chrome and usely Firefox KeePass 2.40 user. And with the help of Ghacks.net I am still tweaking the settings from time to time.

    The only concern I really have is main Microsoft Internet Explorer 11 who I use twice or three times a year (I still not using M.s. Edge even with Global Auto-Type Hot Key) from which upto now I could not find, a KeePass intergration solution link. And after all this time I am thinking its not coming any more. So I am still using Lastpass 4.17.1 for the Ms. Explorer 11. Does your Martin or anybody knows a better solution or even mayby a KeePass soluiton for Ms.IE 11?

  5. Ian Gently said on November 13, 2018 at 8:07 pm
    Reply

    Caveat – the core infrastructure is written in C# using .NET Core with ASP.NET Core. The database is written in T-SQL/SQL Server.

    1. Clairvaux said on November 15, 2018 at 10:00 am
      Reply

      Why is that a problem ? (Straight question, nothing implied.)

  6. ShintoPlasm said on November 13, 2018 at 8:52 pm
    Reply

    I’m still sceptical about the financial sustainability of this project, simply don’t get how it manages to survive with such low fees.

    1. nodata4u said on November 27, 2018 at 4:46 pm
      Reply

      They aren’t greedy, and only use the funds to survive and keep the project going. Its the community that believes in open source software for everyone that keeps this project alive. The principle of the matter is we want security, that isn’t used as a platform to collect data for marketing purposes and profit, and that can be trusted by the community as a whole. Bitwarden has the same core principles. Its that simple. Just because they aren’t “Maximizing profits” doesn’t mean they won’t survive. Why is that so hard to understand?

  7. Darren said on November 14, 2018 at 12:54 am
    Reply

    Just FYI for those interested – Bitwarden is a cloud based password manager only. You need an account with them to to use it.

    1. beemeup5 said on November 17, 2018 at 1:31 pm
      Reply

      This is incorrect. Bitwarden stores all encrypted data locally on the device. The account is for securely syncing the data so that if your device is lost or damaged you don’t lose access to all your accounts. By syncing the data you are essentially creating a backup which can be accessed through the API with your account credentials.

      The account used for syncing can be self-hosted by a local or remote machine you control, so it is not necessary to rely or trust in Bitwarden’s own servers if you do not wish to. Bitwarden provides all the instructions needed to set this up. By self-hosting, the company behind Bitwarden could disappear tomorrow and you would still be able to use Bitwarden as usual (although there would be no new uodates).

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.