Bitwarden leaks passwords to sub domains

jackuars

Level 27
Verified
Top Poster
Well-known
Jul 2, 2014
1,688
I'm glad I remember the combination to more than 50+ websites with an easy to remember distinct strong password for each one of them.
 
  • Like
Reactions: show-Zi
F

ForgottenSeer 85179

I use KeepassXC over original only because of integrated TOTP. I think there are TOTP plugins but I don't know which one to use. I guess there's always WinAuth but that's and archived project. I just hate using my phone for 2fa.
This isn't 2FA then.

No matter if you use a plugin for KeePass or a 2FA program/ app for PC (from e.g. Windows Store).
If you use the same device on which you save your passwords, that isn't by definition a second factor. So if you don't like using phone for that, you can use hardware token which are best solution anyway.
 

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,004
This isn't 2FA then.

No matter if you use a plugin for KeePass or a 2FA program/ app for PC (from e.g. Windows Store).
If you use the same device on which you save your passwords, that isn't by definition a second factor. So if you don't like using phone for that, you can use hardware token which are best solution anyway.

Thanks for clarification. May have to look into hardware token at some point then.
 

SpiderWeb

Level 10
Verified
Well-known
Aug 21, 2020
468
So Bitwarden changed the default match detection from domain to host because of one paranoid blogger.

The problem is that host does not discriminate between http:// and https://.

Or maybe this is just a bad example in the documentation? Upside is that you can restrict to a port which is powerful.

I can see how it can be dangerous when someone is running a script that records input before you press send on a subdomain like a custom website or blog. But many more people will flood reddit, Github and support because their passwords saved for google.com no longer autofill on accounts.google.com and next time Google might change the login to google.com/accounts.

But I see a silver lining here. Maybe it will force people to learn to lock down their password managers and double check their URIs! As a general rule do not use autofill much less auto-login until you are confident that you understand how your password manager works and you have it locked down. Bitwarden allows you to set up auto-login individually. Your password manager only helps you remember your long passwords. It's not there to think for you. (y)
 

PotentialUser

Level 1
May 28, 2020
35
This has me slightly worried; can someone confirm for me this particular issue doesn’t affect me? I’m not very tech-savvy so not sure how to read that GitHub stuff.

Here is how I use BitWarden:

I don’t use any kind of auto-fill, auto-login, or auto-anything. I don’t enter URLs or URIs along with the user/pass of each login.

Every time I create a login in BitWarden for a new account, I only enter the name, username, password, and maybe some additional information in the Notes section. Nothing else.

So yes, I have to manually copy and paste both my username and password every time I want to log into a website.

Am I still affected by this?
 

valvaris

Level 6
Verified
Well-known
Jul 26, 2015
263

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Another potential issue arises:
Popular password manager could have a critical vulnerability
Researcher argues auto-updates could allow for remote code execution

A security researcher has discovered a new vulnerability in a popular password manager that could allow for remote code execution.

The password manager in question is Bitwarden and the vulnerability resides in the company's desktop app which automatically downloads updates and replaces its own code with these updates without user intervention.

Co-founder of Keytern.al Jeffrey Paul argues that the company's developers could leverage its automatic updates to install backdoors into every single installation of the password manager and steal all of the passwords stored in every desktop user's database.
 

Soulbound

Moderator
Verified
Staff Member
Well-known
Jan 14, 2015
1,761
Looks like it's "let's bash on Bitwarden" week.
But to be honest - this is pure bs as it does apply to the majority of the software we have installed and it updates automatically.
theres been interesting discussion and it seems most use online password managers as a quality of life from my understanding.

I have to agree syncing my keepass/keepassxc database can sometimes be a pain if I want to check it on my phone.

Also dont worry, ESET was also bash target this week.
 
F

ForgottenSeer 72227

Another potential issue arises:


To be fair, I guess this would be considered a major vulnerability in Windows too? I think this is a little over reaching a bit. While possible, a huge swath of software have auto updates. Personally i think these "researchers" are just looking to get their names out there. If anything auto updates have been touted as a way to stay secure as secuirty updates can be applied automatically. In all honesty, how many people would go out of their way to check for updates manually? Not very many.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
To be fair, I guess this would be considered a major vulnerability in Windows too?
Windows updates are being downloaded via an insecure connection, but they are digitally signed and UAC verifies certificates online, when they are ran.
Not sure, how Bitwarden verifies its updates once downloaded, whether it trusts them blindly, just like CCleaner did or checks at least hashes as AMD does.
 
F

ForgottenSeer 72227

Windows updates are being downloaded via an insecure connection, but they are digitally signed and UAC verifies certificates online, when they are ran.
Not sure, how Bitwarden verifies its updates once downloaded, whether it trusts them blindly, just like CCleaner did or checks at least hashes as AMD does.

That is very true!

The way I was reading the post from that individual was that he's against the auto update in general because he fears the the Bitwarden devs can change code and steal his passwords. Bitwarden for sure can improve the way they do their auto updates to make them more secure, not arguing that. However, the fact remains with auto updates any dev can change something, no matter if the updates are signed and/or delivered via HTTPS. As long as the dev is still working for the company, they still have access to the update servers and tools to do so, if they so choose.;)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top