Possible security issue in Electron-based BitWarden clients


#1

Today I found this article demonstrating a vulnerability in the Electron framework that specifically uses the BitWarden client as the example. Are the BitWarden developers aware of this issue, and should it be a concern? I use the BitWarden Linux desktop client occasionally.


#2

I would also like to know more about how this may affect Bitwarden specifically. It seems to be an issue with the framework of Electron itself.


#3

In order to exploit this, the attacker would need admin rights on your computer or to trick you into installing malware to gain admin rights.

… in which case they can install software that logs all keys, auto-scans all input boxes, takes a live feed of your desktop and sends it to Russia. Whatever they want. Regardless of whether Bitwarden is Electron or not.

So while yes, Electron should try to fix issues like this… when the requirements an attacker must fill to exploit it includes “gain admin access”… the severity of the issue itself is lowered significantly.


#4

Not sure I would agree with that logic…for me it translates like this…

“as long as your machine is not compromised, then it’s ok to use our app that has a known vulnerability with the underlying framework”

This leaves the app user at risk, especially if they are not “security” savvy. More info is here:


#5
  1. It’s not my app, lol. This is a public forum, not help desk.
  2. You obviously have an incentive to play up the severity of this vulnerability.
  3. If the hacker replacing the asar file is such a huge vulnerability, why isn’t every app vulnerable in the same way just because the hacker could replace the exe itself?

Is it a vulnerability? Yeah, sure.

Is it a reason for users of Bitwarden to delete everything from their computer and run for the hills? No.

Is a Bitwarden user more vulnerable with the app using Electron than if it didn’t? No.

Should Electron fix the issue? Yes.

Should Bitwarden and its users update once the fix is out? Yes.