that same website, but at /bitwarden/web/issues/659 It attempts to autocomplete because the second-level domain is the same, allowing all of the javascripts running on this app (Discourse) to potentially read/steal/upload your master password. The default match detection on the browser extension is incorrect for the *. domain, which means that your MASTER PASSWORD used on is leaked to the (relatively insecure) javascript application running this instance of Discourse for the web forum at. Security: Bitwarden's default match detection leaks client passphrase to javascript This allows the Bitwarden developers, or anyone who can compromise the Bitwarden developers, or anyone who can coerce the Bitwarden developers (legally, like in the case of a demand from a national military, or illegally, like a kidnapper), to push a backdoored update version that would automatically compromise/upload 100% of the keys/passwords of every Bitwarden desktop user. The Bitwarden desktop app grants full Remote Code Execution ability (RCE) to the Bitwarden developers via an unattended autoupdate mechanism that rewrites the local application code automatically on command from Bitwarden’s developers (usually performed in the case of a new version). Security: Bitwarden Desktop app grants RCE to Bitwarden developers.
0 Comments
Leave a Reply. |