Security: Bitwarden Desktop app grants RCE to Bitwarden developers. · Issue #552 · bitwarden/desktop · GitHub
This is the first one. The Bitwarden desktop app grants full Remote Code Execution ability (RCE) to the Bitwarden developers via an unattended autoupdate mechanism that rewrites the local application code automatically on command from Bitwarden’s developers (usually performed in the case of a new version). This allows the Bitwarden developers, or anyone who can compromise the Bitwarden developers, or anyone who can coerce the Bitwarden developers (legally, like in the case of a demand from a national military, or illegally, like a kidnapper), to push a backdoored update version that would automatically compromise/upload 100% of the keys/passwords of every Bitwarden desktop user.
Security: Bitwarden's default match detection leaks client passphrase to community.bitwarden.com javascript · Issue #1396 · bitwarden/clients · GitHub
this is the second one. The default match detection on the browser extension is incorrect for the *.bitwarden.com
domain, which means that your MASTER PASSWORD used on vault.bitwarden.com
is leaked to the (relatively insecure) javascript application running this instance of Discourse for the web forum at community.bitwarden.com
. It attempts to autocomplete because the second-level domain is the same, allowing all of the javascripts running on this app (Discourse) to potentially read/steal/upload your master password.
that same website, but at /bitwarden/web/issues/659
(This one isn’t linked because apparently new users can only put two hyperlinks in a post.)
The other is an issue with the Vault web application. The Content Security Policy (CSP) provided by the server allows three third-party organizations (PayPal, Stripe, and Braintree) privileges to potentially backdoor the application’s javascript (entirely at the sole option of those three services), again potentially leaking/stealing your master passphrase or every password to every site in your database.
This means that any attacker that can control those domains, or otherwise compel/coerce those domains to serve modified javascript, can steal all of your passwords.
Reported By
I’m sneak, aka Jeffrey Paul, aka @sneakdotberlin on Twitter. I can be reached at [email protected] or via Signal at +1 312 361 0355 if anyone has any questions.