Recently came across the article at the following link:
Is this a concern with the Bitwarden Extension? Is there anything you can do to further secure it? How secure it is, really?
Thanks in advance!
TL;DR - The article brings up some good points that apply to all extensions, and most software. Limiting the number of extensions you use is wise. Make sure you get official software and not look-alike “sideloaded” software. Pray developer credentials are kept safe for all the software you use.
There will always be security concerns with any software. The “no extensions” idea at the end of the article may be more secure, but a little extreme for me (though I try to minimize the number of extensions I use). If you want to be strict with the “no extensions” idea, you could download/use the desktop app.
Depending on how they’re designed, browser extensions can have a lot, or limited access. You can view extension permissions the extension details/permissions. Bitwarden accesses some information for functionality, such as reading the URL to identify logins for the current tab, or to populate the URL when you’re creating a new site, as well as clipboard access to copy/paste information.
Bitwarden is open-source and regularly audited. So permissions/access can be reviewed by anyone willing to do the research. That’s helpful and highly doubtful they’d put nefarious code to collect user data or install ransomware or malware.
My concerns with using the extension would be the following:
- Make sure you download the official extension, and not a look-alike (malicious company pretending to be Bitwarden.) - What the article called sideloaded extensions.
- If Bitwarden company/employee credentials or keys to the extension store(s) were compromised, the malicious actor could push an updated extension version with altered code. - The article talked about this, “extensions can get hacked”.
Thanks for the highly informative and helpful response.
Is there anything else you can do to mitigate potential threats with extensions you do use? The only thing I can think of is restricting site access but that won’t be of much value unless the extension is site-specific.
Have you tried the desktop app? Do you think it’s generally more or less secure than the extension? I know every app and use case has its own threat surface but I lean towards desktop apps before extensions (in terms of security) as they may mitigate some MITM attacks (as I understand it).
I did read the link at https://bitwarden.com/help/getting-started-desktop/ but it wasn’t immediately clear if you could autofill in a similar fashion using the desktop app. I realize it’s a tradeoff but that is one feature I’ve become accustomed to.
Thanks again and I look forward to your response!
For some extensions I lock down to specific sites, or “on-click”. I don’t see myself doing that for Bitwarden.
I’ve used the desktop app. Desktop vs Extension will each have their strengths/weaknesses. I’m not personally worried about the security of either one.
I don’t know much about developing and publishing to an extension store to know how likely the official extension could be compromised. But, personally, I feel the inconvenience of searching/copying/pasting for every site (via the desktop app) I log into (vs the extensions autofill) would not outweigh the likelihood of the official Bitwarden extension getting corrupted.
For the desktop app, I’m only aware of copying to your clipboard, or viewing and typing, so if keyloggers are a concern that’s a potential draw-back of the desktop app where the extension can fill inputs on the page without touching the clipboard.