Bitwarden_rs: Security problem?

Created on 30 Jul 2019  路  8Comments  路  Source: dani-garcia/bitwarden_rs

I use Bitworden_RS two weeks.
My credit card details were also stored there.
3 days ago I made an unauthorized purchase on my card.
because I noticed it early enough there was no damage.
Coincidence?

but my trust behind bitwarden is gone.
My Pi cannot be reached directly via the Internet, only via VPN.
Brouser plugins for Chrome and FIrefox were used.
How can I analyze the thing more exactly where the data disappeared?

question

All 8 comments

I seriously doubt someone would have specifically targeted your bitwarden_rs instance, even more so if it isn't even directly available from the internet. The information is encrypted and is only really decrypted on the clients.

I'd focus my attention on two fronts:

  • Which other third parties had access to the credit card info: merchants and shops that might have had data leaks recently.
  • Make sure the clients that access the bitwarden_rs server are malware free and that there aren't any database exports saved in plain text.

So you just used two clients?
But did you consider that they are maybe infected with a trojan or something which is spying the screen or keyboard?

This could happen with any other password manager as well.

I put a lot of effort into being safe.

At home I have a "real" firewall. Sophos UTM.
You can only get out via a transparent proxy with deep inspection.
I have several computers. all were checked with 3 four scanners. Defender (offline) Sophos Central , Malwere Bytes...

The Master Password alone will not help anyone.
you still need initial access to my LAN.

The question is how secure are the browser addons?
https://hackerone.com/bitwarden

The bitwarden server (regardless of what sofware you use, the official server or a third party implementation like bitwarden_rs) has no access to your secrets, they are end-to-end encrypted on your clients, so the server doesn't have access to them in plain text or the keys that can be used to decrypt them.
As others mentioned, there is also a negligible chance that your bitwarden_rs instance has been targeted by someone, especially if it's not event exposed to the public internet.

I believe there are two possibilities:

  • One of your client computers is compromised in some way
  • Your credit card details were stolen from a third party

Difficult to say anything about the two points without becoming paranoid.
The PC can be reinstalled, but I have no influence on the rest.

I don't see how this is actionable by bitwarden_rs devs. As mentioned, passwords are encrypted client-side, so the exposure on server side is _very_ limited. I think this should be closed unless there's good reason to think there is security flaw in the server implementation?

I got the leak.
Booking.com there credit card data is getting lost again and again...

there the summer vacation was booked and not over my hardware but the Apple stuff of my girlfriend directly over her App.

I鈥檓 glad you found the cause :)

I think this can be closed now then.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

xhalo32 picture xhalo32  路  5Comments

pageb018 picture pageb018  路  3Comments

mrtargaryen picture mrtargaryen  路  5Comments

mikkelnl picture mikkelnl  路  3Comments

tycho picture tycho  路  5Comments