Popular Password Manager Could Have a Critical Vulnerability
Fnord666 writes:
Popular password manager could have a critical vulnerability:
A security researcher has discovered a new vulnerability in a popular password manager that could allow for remote code execution.
The password manager in question is Bitwarden and the vulnerability resides in the company's desktop app which automatically downloads updates and replaces its own code with these updates without user intervention.
Co-founder of Keytern.al Jeffrey Paul argues that the company's developers could leverage its automatic updates to install backdoors into every single installation of the password manager and steal all of the passwords stored in every desktop user's database.
In a post on GitHub, Jeffrey Paul provided further insight into the fact that Bitwarden would grant its developers full remote code execution, saying:
"The fact that, of all things, a password manager would grant FULL REMOTE CODE EXECUTION to its developers is insane. The very fact that you would ship a feature like this means you are in no way qualified to hold keys or authentication credentials that allow you to publish a new version that could, at your sole option, backdoor everyone's installations and steal all the passwords of every single user of this software."
Paul also makes the point that a third party could convince Bitwarden's developers to add a backdoor to the company's password manager. For instance, if someone had information on the developers, they could blackmail them into adding a backdoor or they could even pay them to do so as well.
Read more of this story at SoylentNews.