This is the first one. The Bitwarden desktop app grants full Remote Code Execution ability (RCE) to the Bitwarden developers via an unattended autoupdate mechanism that rewrites the local application code automatically on command from Bitwarden’s developers (usually performed in the case of a new version). This allows the Bitwarden developers, or anyone who can compromise the Bitwarden developers, or anyone who can coerce the Bitwarden developers (legally, like in the case of a demand from a national military, or illegally, like a kidnapper), to push a backdoored update version that would automatically compromise/upload 100% of the keys/passwords of every Bitwarden desktop user.
this is the second one. The default match detection on the browser extension is incorrect for the
*.bitwarden.com domain, which means that your MASTER PASSWORD used on
that same website, but at /bitwarden/web/issues/659
(This one isn’t linked because apparently new users can only put two hyperlinks in a post.)
I’m sneak, aka Jeffrey Paul, aka @sneakdotberlin on Twitter. I can be reached at [email protected] or via Signal at +1 312 361 0355 if anyone has any questions.