Cloud to Self-host hack possible?


I noticed my vault was not syncing from PC app to Chrome extension. After looking at it and logging off and on the PC app, I noticed I was logging on with “Region: Self-hosted” selected. I logged out and selected “Region: US” and everything worked correctly. But it got me wondering of somehow I have been hacked. Is it possible to alter config files to point my Bitwarden PC app to a hackers server instead of the Bitwarden cloud servers? If so would my vault have been copied to the hackers server and available for them to access? Thank you for your time in answering this question. FYI I did submit this to support.


1 Like

This is an interesting thought. I would assume this is not possible considering that no unencrypted data is stored server-side and definetly isn’t transmitted without being encrypted first.

Thanks for your reply. But could they have captured my PW when I logged in to there server and then use that to gain access to my vault. I don’t think I am a great target but I do not want to loose anything I have possible given access to because it’s all I have. I have changed a few PWs so far but have many accounts that I do not want to change all of them.

Your master password is not transmitted to the server in a form that would allow someone to recover the password. It is transmitted in the form of a hash that is created on your local device, using PBKDF2 or Argon2id.

If someone really did manage hack your desktop app to make it connect to a malicious server, then they could do a downgrade attack to obtain a master password hash derived only using 5000 iterations of PBKDF2 (instead of whatever you actually have configured for your KDF) — this would reduce the amount of time required to crack your master password by increasing the cracking rate to around a million guesses per second (per GPU). Alternatively, if your 2FA is not FIDO2, they could use an AiTM scheme to obtain an encrypted copy of your vault. In the second scenario, they may also be able to steal a session token, but this is an area that I don’t understand sufficiently well to provide further information about.

Is there a way I can tell if this has appened? Once I changed the Region back to US, it has not reverted back to Self-host as of now. Is there a log, config file or registry entry I can check to see if something like this has appended?

The best thing you could do is run a malware scan. Chances are you’re fine but if you’re worried, it’s not a bad idea to regenerate encryption keys and make sure your kdf iterations are high, and maybe change your master pass. I personally keep my kdf at 1.2m

I did a couple of malware scans using different online scanners and realtime local AV software with no threats found. But I’m not sure the AV would be looking for config changes for Bitwarden. I also changed my kdf to 1.2 m as you have suggested. Not sure how that works but I trust it’s a better setting for keeping brut force attacks. Thank you Nathan and grb for your input! This is probably not the place for a suggestion but just looking for your opinion(s) on the following. To help lock this down as a possible threat, I would suggest having two different client side apps/extentions. One for if you are Self-hosting and another if you plan on using the regular cloud based option. This could be in the code to prevent someone from somehow changing that setting. I still don’t know how this happened and why I could see my vault (I guess a non-cloud synced vault) in the first place. If that is something not deemed necessary then maybe having the setting displayed at the top of the Bitwarden window. It could say “Bitwarden US Cloud Hosted or Bitwarden Self-hosted”. I don’t know how many times I logged into BW using Self-host as a Region, but having something very noticible at the top would probably have caught my attention sooner. But again having seperate client programs would make this a mute point. Thanks again!