A security researcher has discovered a new vulnerability in a popular password manager that could allow for remote code execution.
The password manager in question is Bitwarden and the vulnerability resides in the company’s desktop app which automatically downloads updates and replaces its own code with these updates without user intervention.
Co-founder of Keytern.al Jeffrey Paul argues that the company’s developers could leverage its automatic updates to install backdoors into every single installation of the password manager and steal all of the passwords stored in every desktop user’s database.
In a post on GitHub, Jeffrey Paul provided further insight into the fact that Bitwarden would grant its developers full remote code execution, saying:
“The fact that, of all things, a password manager would grant FULL REMOTE CODE EXECUTION to its developers is insane. The very fact that you would ship a feature like this means you are in no way qualified to hold keys or authentication credentials that allow you to publish a new version that could, at your sole option, backdoor everyone’s installations and steal all the passwords of every single user of this software.”
Paul also makes the point that a third party could convince Bitwarden’s developers to add a backdoor to the company’s password manager. For instance, if someone had information on the developers, they could blackmail them into adding a backdoor or they could even pay them to do so as well.
It’s a feature not a vulnerability
Bitwarden’s password manager isn’t the only software that downloads and installs updates on its own as Windows 10 does this as well for Windows Updates. However, by giving users the ability to reject updates all together, software makers could put them at risk as updates are often used to patch vulnerabilities.
TechRadar Pro reached out Bitwarden regarding Jeffrey Paul’s post on GitHub and a company spokesperson explained that it does not view the way its software handles updates as a vulnerability but rather as the way in which modern applications keep their large user bases up to date with the latest and most secure software in the simplest and fastest way.
Bitwarden sees auto-updating of its applications as a critical security component for the 99.9 percent of its user base that appreciates them. There has also never been a case where its auto-updates have been compromised in any way.
Additionally, Bitwarden plans to add an auto-update option where users can toggle automatic updates on or off depending on their own preferences. At the same time, the company has committed to rigorous third party auditing to ensure the security of its software and services.