Bitwarden URL shortener not working

tam481 · November 11, 2023, 11:05pm

Hello,

https://go.btwrdn.co/bw-sh-version

no longer works. Nor does https://go.btwrdn.co/bw-sh

Is this a temporary issue or a permanent change?

Thanks in advance

grb · November 12, 2023, 12:30am

Personally, I would not use any links to the btwrdn.co domain, as there is no way to verify whether this is an official Bitwarden-owned resource. That domain name is registered at Namecheap.com and all contact information for the registrant has been anonymized. Thus, we have no idea who is controlling those URLs.

Nonetheless, analyzing the linked URLs using virustotal.com reveals that the second URL (https://go.btwrdn.co/bw-sh) resolves to the following URL:

https://objects.githubusercontent.com/github-production-release-asset-2e65be/445231119/db411c29-8916-4484-aa8a-e01d69f51039?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A/20231012/us-east-1/s3/aws4_request&X-Amz-Date=20231012T144228Z&X-Amz-Expires=300&X-Amz-Signature=dafa7d99be4526cb320422434049780158e790e5a7a83d11ff0b134a585b4b28&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=445231119&response-content-disposition=attachment;%20filename=bitwarden.sh&response-content-type=application/octet-stream

This URL contains a reference to GitHub Repo ID 445231119, which in fact corresponds to https://github.com/bitwarden/self-host. The URL also contains a reference to the filename bitwarden.sh, which is one of the assets included in each release of the bitwarden/self-host repository.

Therefore, I would suggest using the GitHub direct download link for the latest release from this repository, which is:

https://github.com/bitwarden/self-host/archive/refs/heads/master.zip

Alternatively, download just the bitwarden.sh file from the latest release at this link:

DoctorB · November 12, 2023, 7:06pm

Here in Jan 2023, a BitWarden member (@vgrassia ) says it is official.
He may know why it isn’t working.

github.com/bitwarden/server

Use of btwrdn.co for setup script on Self Hosted Install

opened 02:40AM - 20 Jan 23 UTC

closed 06:41PM - 24 Jan 23 UTC

TastyDigits

bug

### Steps To Reproduce Setup requests the following: curl -s -o bitwarden.s…h \ https://raw.githubusercontent.com/bitwarden/server/master/scripts/bitwarden.sh \ && chmod +x bitwarden.sh ./bitwarden.sh install ./bitwarden.sh start The script (/scripts/bitwarden.sh) is just a stub and actually fetches the setup script form domain "go.btwrdn.co/bw-sh" BITWARDEN_SCRIPT_URL="https://go.btwrdn.co/bw-sh" ### Expected Result The entirety of the script for setup, which can be fetched from the domain in question, should be hosted on Github and not an external host. ### Actual Result The owner of the domain 'btwrdn.co' could very easily respond with a modified setup script. Not that the owner (I assume @vgrassia ?) has any intention, but the supply chain attack is very real. It could be targeted by public IP address for example and may be ran with high privileges on what will become a very sensitive system. I see no reason why the entire script contents cannot be hosted on Github instead of just the 'stub' and relying on this outside host. The manual installation guide on bitwarden.com does not use this 'rapid install' method and may be more appropriate for a secure system. ### Screenshots or Videos _No response_ ### Additional Context I looked at registering this as a MITM potential on HackerOne and noticed that this host (btwrdn.co) is not part of the in-scope assets. I hope this is just an oversight. ### Build Version All ### Environment Self-Hosted ### Environment Details _No response_ ### Issue Tracking Info - [X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

grb · November 12, 2023, 7:29pm

Thanks for the pointer. Nonetheless, I agree with the OP in the GitHub issue that you linked (@TastyDigits), that this is a security vulnerability.

Since the owner of the btwrdn.co domain has been anonymized by the registrar, it is impossible to determine whether a malicious actor has taken over that domain.

In my opinion, Bitwarden should not use DNS anonymization features for the domains they own. In addition, they should eschew budget registrars like Namecheap, which have a bad reputation for hosting clients that engage in spam and worse.

vgrassia · November 13, 2023, 6:21pm

The links stopped working due to the name servers for the domain being set back to Namecheap mistakenly. They have been updated to point to Cloudflare again and should be working in the next half hour or so.

I will bring up the domain privacy records concern to the team.