I am concerned the problem is worse than anyone posting here has realized.
First:
It’s a bit worse for me. I created my account and (before entering key passwords) realized this was a flaw and so if I want a password that I know hasn’t been compromised, I have to create a new account. I created one assuming I’d change it when I was sure I’d be using BitWarden.
Secondly, and more importantly:
Our browsers accept HTTPS certificates that are signed by ANY of dozens of root CAs (Certificate Authorities). From time to time, a CA messes up or is forced to issue a cert for an entity that already has a valid cert from another CA. Both have happened, on several occasions.
So I guessed a MITM attack would allow anyone to grab my BitWarden master password too. There are hurdles to prevent this, like CAA (Certificate Authority Authorization) but under 9% of sites support it.
dig +short bitwarden.com CAA shows BitWarden does support it. Whew! Unfortunate to see that this shortcoming still hasn’t been addressed.
Thirdly, and most importantly: This javascript vulnerability means that BitWarden is vulnerable to government-mandated, e.g. NSL (National Security Letter) attack. BitWarden could be ordered to serve a particular user or IP or nation with a compromised version of the javascript at any time. The clients, by contrast are open source and signed and relatively stable, so one can assume that if they ever weren’t properly built and signed and static, someone would notice and hopefully the media would report on it.
PS. Seriously? “Importing data to Bitwarden can only be done from the Web Vault.”
PPS. Good news. The documentation is wrong. The new CLI has bw import.
PPPS. Bad news. In order to enable 2FA: 1. Log in to your Web Vault.