Beware of PMs offering you any downloads for bitwarden outside of official channels

I’ve received a pm today telling me about an autotype tool that I could use with bitwarden. I just want to raise awareness that you should not download anything like that.
See message below.


I see you in the thread, I didn’t though it was a bad thing… is Open Source and I have express permission from Kyle Spearring (Bitwarden creator).

I didn’t spam the message, just send it to 3 people (the ones invested). The source code is available in its totality (same as Bitwarden’s), the code is there and is completely safe…

This could’ve been communicated differently, with official support from Kyle in the forum. A message from an anonymous account asking me to download something does not appear trustworthy and open source doesn’t automatically mean secure and I don’t have the time or skill to check your software either.
If it’s something that works, kudos to you, but I’ll still wait until it is added to Bitwarden officially.

The guy is pretty cool, the few times I had the pleasure of small interactions is fun and caring, however I don’t recall seeing him endorse other projects. He green lit them but stops there, and there’s a point for that… he runs a business and I’m 100% with him on that.

And yes you are completely right, Open Source doesn’t magically secure software and not all the people have the patience to go trough 2000 lines of code. I guess it takes a leap of faith, like the billions of people installing browser extensions even if those are the most dangerous pieces of code right now. Simply count the billions of installs of all the passwords managers and those are the people trusting their passwords to literally a sandbox that lets you run arbitrary code without major hiccups.

In fact I don’t use them unless I review the code, load them and manually inspecting the updates… is a hurdle but one of the companies I worked had terrible losses (I’m a Software Architect, that goes like 10ish years ago).

I get your points and they are well thought, I was just trying to give back a little… I do the same in many programming help forums but I guess is different tell people how to code than people trusting your code.

Have a good one and is nice to see people that thinks twice before jump into the unknown.

1 Like

Ah OK I was worried at first although when I looked at the repo it seemed more reassuring - I think it’s the name of ‘anonymous’ that makes it a bit worrying too! :wink:

I guess it stopped being cool when the Anonymous group made people uneasy, but is been my placeholder since I was a kid in the mid 90s and I wasn’t smart enough to come up with a cool nickname (so it was the default anonymous and my bday xD).

But yeah, given some time other developers will start to look at the code (is an easy scripting language) and either like it or not, I started that because a friend asked me to look into it and I really like it, I still use pass because of its design can outmatch absolutely any other password manager but is just as good as you are with CLIs and code (not user friendly but I use it for automate Continuous Integration task and other boring stuff).

Right now just a handful of people got into the repo (~20ish) and some of my family and friends. Since there isn’t anything on it for me I don’t mind… I just put some work in there and if it helps someone else; good (else it serves as coding examples for the AutoHotkey Subreddit where I try to help).

Being a cautious user myself I don’t see why this escaped me, perhaps I didn’t perceive it as a threat as is me the one that wrote the code, but is actually very good thinking of the OP (and an awful approach I took, guess I was excited after git gave me hell most of the night not wanting to add the GPG signature verification to the tag but only to the commits, because I do value tighten security).

Anyway, the purpose of it was learn and I learned a lesson :smiley:


Haha great reply :slight_smile: I’m a bit behind the curve so just getting into git & Github just now :nerd_face:

I wish more people were as vigilant as you. This turned out to be false alarm, yet seemed suspicious. Double check and doubt everything you download, especially when someone told you to (mainly via e-mail scams).