Bitwarden is a popular choice when it comes to password managers; it is open source, programs are available for all major desktop operating systems, the Android and iOS mobile platforms, the Web, as browser extensions, and even the command line.
Cure 53 was hired to "perform white box penetration testing, source code auditing, and a cryptographic analysis of the Bitwarden ecosystem of applications and associated code libraries".
Bitwarden released a PDF document that highlights the findings of the security company during the audit and the company's response.
The research term uncovered several vulnerabilities and issues in Bitwarden. Bitwarden made changes to its software to address pressing issues immediately; the company changed how login URIs work by limiting allowed protocols.
The company implemented a whitelist that allows the schemes https, ssh, http, ftp, sftp, irc, and chrome only at the point in time and not other schemes such as file.
The four remaining vulnerabilities that the research term found during the scan did not require immediate action according to Bitwarden's analysis of the issues.
The researchers criticized the application's lax master password rule of accepting any master password provided that it is at least eight characters in length. Bitwarden plans to introduce password strength checks and notifications in future versions to encourage users to select master passwords that are stronger and not easily broken.
Two of the issues require a compromised system. Bitwarden does not change encryption keys when a user changes the master password and a compromised API server could be used to steal encryption keys. Bitwarden can be set up individually on infrastructure that is owned by the individual user or company.
The final issue was discovered in the handling of Bitwarden's autofill functionality on sites that use embedded iframes. The autofill functionality checks only the top-level address and not the URL used by embedded iframes. Malicious actors could therefore use embedded iframes on legitimate sites to steal autofill data.
Now You: Which password manager do you use, any why?Advertisement
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.