A security researcher has discovered a new vulnerability in a popular password manager that might allow for remote code execution.
The password manager in question is Bitwarden and the vulnerability resides in the firm’s desktop app which routinely downloads updates and replaces its own code with these updates without user intervention.
Co-founder of Keyton. al Jeffrey Paul argues that the company’s developers might leverage its automatic updates to put in backdoors into every single set up of the password manager and steal all the passwords stored in every desktop user’s database.
In a post on GitHub, Jeffrey Paul offered further insight into the fact that Bitwarden would grant its developers full remote code execution, saying:
“The fact that, of all things, a password manager would grant FULL REMOTE CODE EXECUTION to its developers is insane. The very fact that you’d ship a feature like this implies you are on no account qualified to hold keys or authentication credentials that allow you to publish a new model that could, at your sole option, backdoor everyone’s installations and steal all the passwords of every single person of this software.”
Paul also makes the point {that a} third-occasion might convince Bitwarden’s developers to add a backdoor to the company’s password supervisor. For instance, if someone had information on the builders, they might blackmail them into including a backdoor or they might even pay them to take action as well.
It’s a feature, not a vulnerability
Bitwarden’s password manager is not the one software that downloads and installs updates by itself as Windows 10 does this as effectively for Windows Updates. However, by giving customers the power to reject updates altogether, software makers might put them in danger as updates are sometimes used to patch vulnerabilities.
Bitwarden sees auto-updating of its applications as an important safety part for the 99.9 % of its person base that appreciates them. There has additionally by no means been a case where its auto-updates have been compromised in any way.
Additionally, Bitwarden plans to add an auto-update option the place customers can toggle computerized updates on or off relying on their very own preferences. On the same time, the corporate has dedicated to rigorous third-party auditing to make sure the safety of its software and services.