Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Browsers
Other Browsers
Which Password Manager do you use in 2019?
Message
<blockquote data-quote="vinylmeister" data-source="post: 795696" data-attributes="member: 33695"><p>Webinterface: The problem is that the encryption and decryption of the password database is done by JavaScript. JavaScript and security are two parameters that are mutually exclusive. You could perhaps overlook this, but not by integrating JavaScript code from other domains into the context of the highly sensitive environment.</p><p></p><p>The content security policy of the Bitwarden web interface is structured as follows:</p><p>[CODE]Content-Security-Policy:</p><p>default-src 'self';</p><p>script-src 'self' 'sha256-ryoU+5+IUZTuUyTElqkrQGBJXr1brEv6r2CA62WUw8w=' https://js.stripe.com https://js.braintreegateway.com https://www.paypalobjects.com;</p><p>style-src 'self' 'unsafe-inline' https://assets.braintreegateway.com https://*.paypal.com; img-src 'self' data: https://icons.bitwarden.net https://*.paypal.com https://www.paypalobjects.com https://q.stripe.com https://haveibeenpwned.com https://www.gravatar.com;</p><p>child-src 'self' https://js.stripe.com https://assets.braintreegateway.com https://*.paypal.com https://*.duosecurity.com;</p><p>frame-src 'self' https://js.stripe.com https://assets.braintreegateway.com https://*.paypal.com https://*.duosecurity.com;</p><p>connect-src 'self' wss://notifications.bitwarden.com https://notifications.bitwarden.com https://cdn.bitwarden.net https://api.pwnedpasswords.com https://twofactorauth.org https://api.stripe.com https://www.paypal.com https://api.braintreegateway.com https://client-analytics.braintreegateway.com https://*.braintree-api.com;</p><p>object-src 'self' blob:;[/CODE]</p><p></p><p>In particular, the script-src line is thought-provoking, since, among other things, the reloading of JavaScript from third-party sources is permitted. With each resource that Bitwarden integrates into the context of the web interface, the site enters into a trust relationship with the respective source or domain. This in turn also means that the actual control over the delivered resource lies solely with the third-party provider. If, however, the third-party provider is compromised or hacked in any way, this can possibly lead to the attacker modifying the resource to be delivered and, for example, a malicious JavaScript code being delivered to the user instead of a harmless one.</p><p></p><p>Android app: The Android app (version 1.21.0) also includes three trackers:</p><p></p><p> Google Analytics</p><p> Google Firebase Analytics</p><p> hockey app</p><p></p><p>In a practical exam I was able to discover two of these trackers. Immediately after opening the app, data is transferred to Google Analytics and Google Firebase Analytics - regardless of whether the user has agreed or not. While Google Firebase Analytics might still be a failure to deactivate, Google Analytics Tracker was deliberately integrated. In an app context that manages such sensitive data as passwords, trackers have basically lost nothing - such "mistakes" are hard for me to understand. After all, tracking can be deactivated via the options.</p><p></p><p>Furthermore, I was a bit surprised that my master password obviously goes over the line - albeit in a somehow hashed format [POST Request]:</p><p></p><p>[CODE]grant_type=password</p><p>&username=XY</p><p>&password=DkSSVh%2FsNxf6s8qOIO5apW9mQzWit65H99TAZItZMps%3D</p><p>&scope=api+offline_access</p><p>&client_id=mobile</p><p>&DeviceType=Android</p><p>&DeviceIdentifier=02efaea0-6d37-4a51-b868-279eab44ab70</p><p>&DeviceName=Redmi+Note+4&DevicePushToken=[/CODE]</p><p></p><p>Here I would have wished for a separation between authentication and the encryption of the password database. Maybe a master key or something similar is derived from the master password. You would have to have a closer look at the source code.</p><p></p><p>Source: <a href="https://www.kuketz-blog.de/bitwarden-schwaechen-bei-sicherheit-und-datenschutz/" target="_blank">Kuketz-Blog</a></p></blockquote><p></p>
[QUOTE="vinylmeister, post: 795696, member: 33695"] Webinterface: The problem is that the encryption and decryption of the password database is done by JavaScript. JavaScript and security are two parameters that are mutually exclusive. You could perhaps overlook this, but not by integrating JavaScript code from other domains into the context of the highly sensitive environment. The content security policy of the Bitwarden web interface is structured as follows: [CODE]Content-Security-Policy: default-src 'self'; script-src 'self' 'sha256-ryoU+5+IUZTuUyTElqkrQGBJXr1brEv6r2CA62WUw8w=' https://js.stripe.com https://js.braintreegateway.com https://www.paypalobjects.com; style-src 'self' 'unsafe-inline' https://assets.braintreegateway.com https://*.paypal.com; img-src 'self' data: https://icons.bitwarden.net https://*.paypal.com https://www.paypalobjects.com https://q.stripe.com https://haveibeenpwned.com https://www.gravatar.com; child-src 'self' https://js.stripe.com https://assets.braintreegateway.com https://*.paypal.com https://*.duosecurity.com; frame-src 'self' https://js.stripe.com https://assets.braintreegateway.com https://*.paypal.com https://*.duosecurity.com; connect-src 'self' wss://notifications.bitwarden.com https://notifications.bitwarden.com https://cdn.bitwarden.net https://api.pwnedpasswords.com https://twofactorauth.org https://api.stripe.com https://www.paypal.com https://api.braintreegateway.com https://client-analytics.braintreegateway.com https://*.braintree-api.com; object-src 'self' blob:;[/CODE] In particular, the script-src line is thought-provoking, since, among other things, the reloading of JavaScript from third-party sources is permitted. With each resource that Bitwarden integrates into the context of the web interface, the site enters into a trust relationship with the respective source or domain. This in turn also means that the actual control over the delivered resource lies solely with the third-party provider. If, however, the third-party provider is compromised or hacked in any way, this can possibly lead to the attacker modifying the resource to be delivered and, for example, a malicious JavaScript code being delivered to the user instead of a harmless one. Android app: The Android app (version 1.21.0) also includes three trackers: Google Analytics Google Firebase Analytics hockey app In a practical exam I was able to discover two of these trackers. Immediately after opening the app, data is transferred to Google Analytics and Google Firebase Analytics - regardless of whether the user has agreed or not. While Google Firebase Analytics might still be a failure to deactivate, Google Analytics Tracker was deliberately integrated. In an app context that manages such sensitive data as passwords, trackers have basically lost nothing - such "mistakes" are hard for me to understand. After all, tracking can be deactivated via the options. Furthermore, I was a bit surprised that my master password obviously goes over the line - albeit in a somehow hashed format [POST Request]: [CODE]grant_type=password &username=XY &password=DkSSVh%2FsNxf6s8qOIO5apW9mQzWit65H99TAZItZMps%3D &scope=api+offline_access &client_id=mobile &DeviceType=Android &DeviceIdentifier=02efaea0-6d37-4a51-b868-279eab44ab70 &DeviceName=Redmi+Note+4&DevicePushToken=[/CODE] Here I would have wished for a separation between authentication and the encryption of the password database. Maybe a master key or something similar is derived from the master password. You would have to have a closer look at the source code. Source: [URL='https://www.kuketz-blog.de/bitwarden-schwaechen-bei-sicherheit-und-datenschutz/']Kuketz-Blog[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
