Question of fundamental security

Is it known whether these issues have been resolved? The question of the “never forget” feature and the use of “third-party domains” are my only reservations about Bitwarden. Otherwise love it’s simplicity and open source format.

The never forget issue was resolved several months ago within 24 hours of the user reporting the problem: https://blog.bitwarden.com/chrome-extension-version-1-24-security-fix-1ce700aeccf6

2 Likes

Great! Thanks for the link. What are your thoughts on security concerns over third party resources as referenced in the second article I linked to?

From the article:

  • "In my opinion, no external resources should be loaded from any third-party domains inside a high-risk high-security environment like a password manager.

  • “Including any third-party content is a potential avenue for malicious actors to get in to the password vault. I can’t see any strong reason why any of these companies should be able to execute code inside the password vault. They’re all well-established service providers and it’s not very likely that they’ll loose control over their domains. However, it’s an unnecessary risk factor and frankly their inclusion also seems entirely unnecessary.”

Is this practice something Bitwarden is considering changing?

P.S. @kspearrin, thank you for all your hard work and diligence with the creation and maintenance of Bitwarden. It’s an amazing service. I’d just like to hear all perspectives, quell my concerns, and cover my bases as a technical rookie.

1 Like

v2.0 of the web vault now only loads third party script on-demand, such as when you view a payment page. https://github.com/bitwarden/web/issues/217