Are you using a secure password manager? Find out why Bitwarden passed its annual audit with flying colors
Bitwarden, maker of the password management solution, has published the results of two third-party security audits. Two different security companies were tasked by Bitwarden to "reinforce Bitwarden security and help customers comply with enterprise security requirements".
Bitwarden added support for Argon2 KDF recently to its products and also passwordless web vault logins.
In May 2022, Bitwarden asked the cybersecurity experts at Cure53 to perform penetration testing and "develop a detailed and encompassing security assessment across Bitwarden IPs, servers, and web
Cure53 found no critical or important issues during the analysis of Bitwarden's network and infrastructure. The security researchers did find four issues; two of them received a low security threat rating, the other two an informational rating only.
Cure53 concluded that Bitwarden "exhibits a strong security foundation with zero exploitable
vulnerabilities found". Three of the four issues that the security researchers discovered during the audit have been addressed by now, the fourth is under investigation.
Here is the list of issues discovered during the audit:
- The API web server exposed its host origin at Azure "through a response cookie set under certain requests". A potential attacker, who needed knowledge of the origin domain of the web server, could potentially bypass protections, like those provided by Cloudflare.
- Bitwarden's icon service, hosted at icons.bitwarden.net, had its host IP addressed of the Kubernetes cluster exposed through an alternative service, which could also lead to protection bypasses during attacks.
- Brute-force attacks on two-factor authentications are not effective due to rate limits. Attackers with access to a large set of proxies could overcome this protection. Bitwarden introduced a captcha challenge to address this once a certain number of failed login attempts is noted.
- Bitwarden did not implement "some of the newer security headers, such as "Cross-Origin Resource Policy (CORP), Cross-Origin Opener Policy (COOP), Cross-Origin Embedder
Policy (COEP)". Bitwarden is investigating the impact that these headers have currently.
The second audit, also conducted by Cure53, included penetration testing and a source code audit against "all Bitwarden password manager software components and aspect".
Cure53 found no critical vulnerabilities. A total of 7 issues were found during the audit, with the majority information in nature. Two of the issues were rated high by Cure53.
Here is the list of issues discovered during the audit, the first two are the ones rated high:
- An issue was detected that could allow arbitrary redirects under very specific circumstances under the Bitwarden domain. Bitwarden addressed the issue through the use of Content-Security Policy on the affected webpage.
- The Bitwarden Electron desktop application lacked "a number of general Electron application security recommendations".
- A client-side traversal bug was found in a page.
- Testing an issue reported earlier to Bitwarden confirmed that the implemented fix was incomplete.
- The access code for the email login uses non-constant string comparison, which could be exploited, but with difficulties.
- Lack of Cross-Origin-Related HTTP security headers.
The two audits are linked on the official Bitwarden blog.
The 2021 Bitwarden audits
The 2021 audits of Bitwarden services and infrastructure were carried out by Cure53 and Insight Risk Consulting. The latter audited Bitwarden's network perimeter, did penetration testing and vulnerability assessments against services and applications.
The company found three issues, none critical. Two were fixed, one was considered a false positive.
The Cure53 audit of 2021 included penetration testing and an audit of the source code. The company found 25 issues, including one critical issue that was addressed immediately by Bitwarden. An additional 15 issues were fixed during the assignment, and several more after the assessment ended.
Audit reports are provided on the linked blog post above.
No critical issues were discovered during the two audits. Two security issues that Cure53 rated high were discovered during the source code audit and penetration testing. These were fixed quickly by Bitwarden and the third-party HubSpot. All other issues were either rated low or informational only.
Bitwarden passed the audits with flying colors, considering that all products and services were under scrutiny by security experts. The company plans to continue hiring security companies to analyse its security to "uphold high cybersecurity standards".
Now You: are you a Bitwarden user?
This is good news. This security audit news, along with a newer longer memorable password that is stored only in my memory, Argon2, and three sets of Yubikeys added to my account should seal any leaks. Who can hack my account now?
I moved to BitWarden from LastPass due to the terrible way they handled the compromises they had last year.
I made the migration a few years back when I realized the LastPass extension for Firefox made it insanely slow to do anything. It didn’t matter if it was enabled or not. Just having it installed caused the issue. It happened in Chrome too but not quite as bad. It also got worse the longer the browser ran. When I realized it was the extension it bugged me because I had that issue for years…..
Then after I made the switch all these breaches started happening…. Oooooooof.
Great! I’m curious, if LastPass management is reading about this if they’ll understand the words ‘security’ and ‘audit’.