As many know, Mega’s Chrome store was hacked in 2018, causing those with auto-updates enabled to download and run a malicious version of the Mega browser extension for Chrome: https://www.reddit.com/r/netsec/comments/9d8mm6/mega_chrome_extension_hacked_detailed_timeline_of/
How well hardened is Bitwarden from attacks like this? Every time we install Bitwarden software are we 100% ensured there are digital signatures being verified?
Hello, and Welcome to the community!
I am probably not answering your question, but I want to add to the discussion.
I don’t think how BW compiles codes and uploads to the different software repositories are completely transparent. Signing the software helps, but the signing process itself can be compromised. I somehow doubt you can get to ever be close to 100% sure.
The “usual” easy way people take (to avoid supply-chain attack) is to not auto-update on some software and wait a while, watching the bug reports, online communities, and news outlet like a hawk, to see if it may be safe (still no guarantee) to update to the latest versions. This wouldn’t stop your other extension malicious updates (like Mega) to compromise your passwords including Bitwarden’s, but may help mitigating an attack on BW delivery if you wait long enough.
The one supply chain attack on PWM I know is PasswordState: Passwordstate password manager hacked in supply chain attack . In that case, they found out pretty quickly because a security researcher happened to be looking at it. The one major supply chain attack recently was on the company 3CX, which only one AV vendor flagged it behaviorally immediately, but only became apparent that it was compromised some (~3) weeks later.
Thank you. Very interesting. Currently I use only the uBlock Origin addon on my Firefox browsers. Have it set to auto-update, but maybe should turn that off. Also use the Bitwarden extension on my browsers and maybe should disable auto updates there as well.
I do hope the Bitwarden team is taking this topic seriously.