hacks

Bitwarden passes annual security audit with flying colors

12 3 minutes read

Bitwarden, maker of the password management solution, has published the results of two third-party security audits. Two different security companies were tasked by Bitwarden to “reinforce Bitwarden security and help customers comply with enterprise security requirements”.

Bitwarden added support for Argon2 KDF recently to its products and also passwordless web vault logins.

In May 2022, Bitwarden asked the cybersecurity experts at Cure53 to perform penetration testing and “develop a detailed and encompassing security assessment across Bitwarden IPs, servers, and web
applications”.

Cure53 found no critical or important issues during the analysis of Bitwarden’s network and infrastructure. The security researchers did find four issues; two of them received a low security threat rating, the other two an informational rating only.

Cure53 concluded that Bitwarden “exhibits a strong security foundation with zero exploitable
vulnerabilities found”. Three of the four issues that the security researchers discovered during the audit have been addressed by now, the fourth is under investigation.

Here is the list of issues discovered during the audit:

The API web server exposed its host origin at Azure “through a response cookie set under certain requests”. A potential attacker, who needed knowledge of the origin domain of the web server, could potentially bypass protections, like those provided by Cloudflare.
Bitwarden’s icon service, hosted at icons.bitwarden.net, had its host IP addressed of the Kubernetes cluster exposed through an alternative service, which could also lead to protection bypasses during attacks.
Brute-force attacks on two-factor authentications are not effective due to rate limits. Attackers with access to a large set of proxies could overcome this protection. Bitwarden introduced a captcha challenge to address this once a certain number of failed login attempts is noted.
Bitwarden did not implement “some of the newer security headers, such as “Cross-Origin Resource Policy (CORP), Cross-Origin Opener Policy (COOP), Cross-Origin Embedder
Policy (COEP)”. Bitwarden is investigating the impact that these headers have currently.

The second audit, also conducted by Cure53, included penetration testing and a source code audit against “all Bitwarden password manager software components and aspect”.

Cure53 found no critical vulnerabilities. A total of 7 issues were found during the audit, with the majority information in nature. Two of the issues were rated high by Cure53.

Here is the list of issues discovered during the audit, the first two are the ones rated high:

An issue was detected that could allow arbitrary redirects under very specific circumstances under the Bitwarden domain. Bitwarden addressed the issue through the use of Content-Security Policy on the affected webpage.
Bitwarden uses Hubspot code on its main website. A vulnerability was discovered in the “embedded HubSpot Forms JavaScript library” that introduced a Dom-based vulnerability. The issue has been fixed by HubSpot.
The Bitwarden Electron desktop application lacked “a number of general Electron application security recommendations”.
A client-side traversal bug was found in a page.
Testing an issue reported earlier to Bitwarden confirmed that the implemented fix was incomplete.
The access code for the email login uses non-constant string comparison, which could be exploited, but with difficulties.
Lack of Cross-Origin-Related HTTP security headers.

The two audits are linked on the official Bitwarden blog.

Closing Words

No critical issues were discovered during the two audits. Two security issues that Cure53 rated high were discovered during the source code audit and penetration testing. These were fixed quickly by Bitwarden and the third-party HubSpot. All other issues were either rated low or informational only.

Bitwarden passed the audits with flying colors, considering that all products and services were under scrutiny by security experts. The company plans to continue hiring security companies to analyse its security to “uphold high cybersecurity standards”.

Now You: are you a Bitwarden user?

Thank you for being a Ghacks reader. The post Bitwarden passes annual security audit with flying colors appeared first on gHacks Technology News.

gHacks Technology News 

12 3 minutes read

Related Articles

Two countries partner to leverage AI for cybersecurity

Neeva shuts down its search engine to focus on AI products

Everything you need to know about GPT-5

Chipgate: Powerleader’s power play or Intel inside job?

© Copyright 2024, All Rights Reserved  |  Tarek el ESS | Proudly Hosted by WebLebHost
Back to top button