Server: Security audit

Created on 19 Jan 2017  Â·  59Comments  Â·  Source: bitwarden/server

Not sure in which repository this belongs, probably in all of them. Bitwarden should get a security audit to find and squash any security issues that might hide somewhere. Obviously there is the problem of financing, so maybe this can be of help. Doesn't hurt to try it, right?

https://blog.mozilla.org/blog/2016/06/09/help-make-open-source-secure/
https://docs.google.com/forms/d/e/1FAIpQLScLwANEOvLBE6gnFVoiamqHOYzzkaChpdQJ7f0PlZGmfyy94w/viewform
https://wiki.mozilla.org/MOSS/Secure_Open_Source

help wanted

Most helpful comment

We are scheduled with Cure53 for later this year to perform a complete audit of the backend server (core), web vault, desktop apps, browser extensions, and jslib (the library that powers most of our client apps).

All 59 comments

Thanks for the links. We are planning to have a formal audit performed.

If anyone would like to contribute to this in some way, please contact me directly using the contact form on the bitwarden website.

So how close is Bitwarden to getting a formal security audit?

@bcbane We are currently working to bring many of our paid features online which will allow us to start bringing in cash to fund things like a formal security audit. If all goes as planned, we should definitely have this done at some point this year.

I noticed two potential issues from looking over the code:

  • SHA1 OAEP as an option, despite SHA1 being regarded as weak
  • AES key exchange isn't using digital signatures; it appears that a malicious server can generate its own AES keys using the client's public key, then pass them back to the user.

/cc @brianredbeard

@heyitsanthony Thanks for having a look.

  • SHA1 is only used in one place throughout the application, as the underlying hash of RSA OAEP padding. My understanding from discussions on this subject is that even though SHA1 on it's own has shown to be weak, it does not weaken the security of RSA OAEP (where it is spec'd as the default function). Further, SHA256 is an option for OAEP (and was actually what we originally implemented), however, we are restricted by the least common denominator of all of the platforms that we support. For example, iOS _only_ supports OAEP with SHA1. Our code is written in a way that we can easily migrate to OAEP with SHA256 once platform support is uniform.
  • Good catch. We should sign the organization key to prevent a bad actor on the server or MITM which could result in encrypting data with a forged key. We'd need to come up with a way to produce a signature from the key exchange that would work in this scenario where user's public keys and the organization's long-term AES key (encrypted) is stored on the server.

I don't know how Google's Project Zero picks and chooses their targets for security auditing, but considering they recently did one for LastPass, it might be possible to have them take a look at Bitwarden

https://sakurity.com/securelogin
Free security audit if you implement SecureLogin.

@dralley This can be a double edged sword, especially for a small team. Project zero has a few built in control valves to force responsible disclosure. This means the entire Bitwarden team has 90 days to resolve all vulnerabilities before they become 0-days (hence the name).

@ple103 Personally, I would let that bake in a little bit more. The Sakurity team is till working through some of their own UX and security concerns from the community. I look forward to see how it goes in the long run but the guidance Make sure you write down your master password and that you never used this password before. is going to be a challenge for some people to accept.

@heyitsanthony We've added support for HMAC-SHA256 signing org keys with a user's protected "mac key" (half of the 512 bit encKey). See:

https://github.com/bitwarden/core/commit/5a67df60def8d41c03eee22e3e5347fab034ea3c
https://github.com/bitwarden/web/commit/9a7dac706c9888adadf4e6b475d0d97890ddf88a
https://github.com/bitwarden/browser/commit/8ff336d103aed648f41d08588bf4e58723048b88
https://github.com/bitwarden/mobile/commit/7823ec3fc8c0691884e55c45687feaf12e86d8c8

This will authenticate a user's org key each time it is used, so any tampering will result in a failure during decryption. This puts the appropriate infrastructure in place, however, still leaves two scenarios open that we need to fill:

  • Signing the org key after a new user is confirmed (not just for the admin user that created the org).
  • Signing org keys that already exist under the Rsa2048_OaepSha256_B64 and Rsa2048_OaepSha1_B64 enc types. We'll need a migration prompt of some sort for this.

After these scenarios are resolved we can make the mac checks strictly enforced.

I was playing with SonarQube on my fork tonight. Could be a good start, but might just be a bunch of noise. If there's interest, I can clean things up and make a PR. Current report can be seen here: https://sonarcloud.io/dashboard?id=bitwarden-core

@davidkassa Thanks for the scan. I don't really see anything of concern in that report.

I didn't either. Is adding a regular scan to the CI process worthwhile? I wanted to play but trying to decide if it's worth spending a couple of nights on.

On Aug 3, 2017, at 8:06 PM, Kyle Spearrin notifications@github.com wrote:

@davidkassa Thanks for the scan. I don't really see anything of concern in that report.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

@davidkassa I'd be open to it. I created a sonarcloud account and bitwarden organization but I'm not really sure how to use it. We use appveyfor for CI builds.

Cool. I got it covered :)

I'll include details in the PR.

On Aug 4, 2017, at 3:04 PM, Kyle Spearrin notifications@github.com wrote:

@davidkassa I'd be open to it. I created a sonarcloud account and bitwarden organization but I'm not really sure how to use it. We use appveyfor for CI builds.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

This could also be helpful. Not sure you know it yet

https://lgtm.com/projects/g/bitwarden/browser/

Some news on this front, bitwarden is now working with researchers on HackerOne to find vulnerabilities in the platform. Our program is currently private but will enter public status soon. We've already resolved a few minor issues found by researchers there so far.

some links I came across (might be useful)

Security Automation and Risk Management for Open-Source Code
https://www.sourceclear.com/

Node Security Platform
https://nodesecurity.io/

Synk
https://snyk.io/

Our HackerOne program has now gone public: https://hackerone.com/bitwarden

Our HackerOne program has now gone public: https://hackerone.com/bitwarden

This is awesome news! Are you planning on a blog post or something? I think this is worth of some diffusion. Some background on how it works and what does this mean for the project, the company, etc and sharing on HN, Reddit, etc.

This is awesome news! Are you planning on a blog post or something? I think this is worth of some diffusion. Some background on how it works and what does this mean for the project, the company, etc and sharing on HN, Reddit, etc.

Nevermind: https://blog.bitwarden.com/bitwarden-launches-on-hackerone-a8acda73b1c1

High-Tech Bridge is launching a free 'Mobile X-Ray' service for developers that analyses native and hybrid iOS and Android apps and detects the most common weakness and vulnerabilities.
Just upload your iOS or Android mobile app to start a DAST, SAST and behavioral audit for OWASP Mobile Top 10 and other vulnerabilities.
https://www.htbridge.com/mobile/

Check websites for security and performance issues with Sonar (might come in handy)
Microsoft's Edge development team launched a new open source website scanner called Sonar yesterday which tests websites for security and performance issues.
https://sonarwhal.com/
https://sonarwhal.com/scanner/

Scanner throws some errors for "https://vault.bitwarden.com/"
https://sonarwhal.com/scanner/7e565752-f659-4a25-9f03-d104b4e6fa2b

@paragonie-scott Please open new issues in the appropriate repos if you think you have found something. Or you can email us privately. This issue is to discuss the need for a security audit and I don’t want it getting filled up with additional comments and discussion related to potential vulnerabilities.

I didn't see that you had a HackerOne program until just now. I sent the full details of the vulnerability/exploit there and deleted my comments above.

Sorry for the confusion here.

Since many people watch this thread I just wanted to post a follow up that the potential vulnerability mentioned by @paragonie-scott earlier in this thread (which he subsequently removed) turned out not to be an issue and the related HackerOne report was closed. Though we did end up having some good discussion on the crypto implementations.

2017 is done, any status update on this? get some quotes and open some kind of "gofundme". It should help you getting there ;)

i can only speak for myself but i would participate if there is a clear goal in terms of money needed.

Best regards

I am looking for a cross-platform solution to replace the password manager I currently use. I would gladly pay a 'license' fee for a product like this that undergoes a review once and a while.

Echoing the sentiment here. The only thing that could entice me even more is a full audit.

I'd pay for premium if there were a full audit.

Publishing an informal security model would be a good start. There are lots of bits-and-pieces on the website and in your repos, but they are pretty generic and don't go into the necessary technical detail.

I think @MarcReckel brings up a valid point. It would be great if there were some transparency around how much funding is needed to perform a formal security audit and how much has been raised towards that goal. To get that insight would provide more reassurance when throwing money at the project. I don't know how feasible that is, though, or if gofundme is the right platform. I mainly just want to express interest in putting funding into the project if I know that it would go towards a full audit.

I would personally never _consider_ using this product without a security audit. My entire life is in my password manager. It isn't a throwaway decision.

I have zero interest in paying for the audit. I'd open my wallet after they pass the audit, when I would subscribe.

I have zero interest in paying for the audit. I'd open my wallet after they pass the audit, when I would subscribe.

Paying for an audit is a tall order for any one person. Would you contribute to a crowd-fund?

Heh, clever. Of course I meant I wouldn't _contribute_ towards an audit either. Bitwarden is a commercial entity with a business model. I don't donate to for-profit businesses, I buy goods and services from them.

But that's just me, other people have said they would do so.

Heh, clever. Of course I meant I wouldn't contribute towards an audit either.

I find you unreasonably negative. Bitwarden is mostly open source and I think both I and others find it useful to sometimes contribute to products that I don't use (yet).

FWIW Scott that you replied to is a professional security researcher and it seems he's already spent some unpaid time on the code.

I would consider contributing if the project was developed and run by a non-profit foundation like Kodi and Apache. That is not the case. I don't contribute to for-profit enterprises, and am frankly amused that you think it's unreasonable.

RedHat Enterprise Linux is open-source also. Would you donate to RedHat? How about Oracle, would you open your heart and donate to Larry Ellison's Lamborghini fund because they develop MySQL?

RedHat Enterprise Linux is open-source also. Would you donate to RedHat? How about Oracle, would you open your heart and donate to Larry Ellison's Lamborghini fund because they develop MySQL?

There is a big difference between helping out a small company trying to do something incredibly beneficial for the Open Source community such as providing an easy-to-use open source password manager for the masses . . . comparing to BILLION DOLLAR corporations.

Where is the project on the audit side of things? did you get quotes? set up a crowfunding?
We want to move to bitwarden from Lastpass but need an audit to be done for the solution to be qualified as mature...

I would consider contributing if the project was developed and run by a non-profit foundation

Can we stop responding to people who don't understand the economics of OSS software?

don't know how feasible that is, though, or if gofundme is the right platform.

I opened a ticket for BountySource integration, which would would enable collaborative funding for any GitHub ticket.

@kspearrin The first step is to write out an informal security model. Have you done this?

Security audits are very expensive. Crowdfunding would make perfectly sense but the question is if security audit companies allow Bitwarden to even talk about prices. I know some forbid it...

We are currently in early discussions with Cure53 about completing an audit. If anyone has suggestions of other agencies, please list them and we'll consider reaching out to them as well.

Just throwing that out there.. I'm willing to donate to have the security audit done. It's important to me that something I rely on this much, be as secure as it can be. Thanks.

OSTIF has done audits on VeraCrypt, OpenVPN, etc.
https://ostif.org/

Hi guys — Sorry for being a bit late to the party! I've just added bitwarden/core to the C# beta on LGTM.com: https://lgtm.com/projects/g/bitwarden/core/alerts

The best way (IMHO) to use LGTM, is by enabling automatic code review for pull requests. Here's an example of how that works for the team at Google (+ community) for AMPHTML: https://github.com/ampproject/amphtml/pull/13060, and NASA use it for their Open-MBEE project, e.g.: https://github.com/Open-MBEE/mdk/pull/105. You can enable automatic code review here: https://lgtm.com/projects/g/bitwarden/core/ci/

Any questions / suggestions / comments: give me a shout! (Full disclosure: I'm part of the team that built LGTM.com :slightly_smiling_face:)

Oh, and while I'm at it — here are the results for bitwarden/mobile: https://lgtm.com/projects/g/bitwarden/mobile/alerts/

I haven't heard of this service before, that is very cool. Thanks for sharing and setting this up. Hopefully this will help the audit. :+1:

Note: for those who haven't heard of this and are curious what LGTM stands for as I was . . . LGTM = "Looks Good To Me"

You're welcome, @MichaelTunnell — glad to have you on board!

Someone pointed out @petervnv's comment in this issue (now a year ago) out to me, so it seemed worth setting this up. Let me know what you think!

Note that you can add your own open source projects to LGTM if you like. Just log in with Google or GitHub (or create an account), and go to "My Projects". If you have a large number of projects you'd like to add: just drop me a note and I'll do them all in one go.

WhiteSource
https://www.whitesourcesoftware.com/
Free tool checks for critical open source vulnerabilities

We are scheduled with Cure53 for later this year to perform a complete audit of the backend server (core), web vault, desktop apps, browser extensions, and jslib (the library that powers most of our client apps).

Very good news! I look forward to switching to Bitwarden once this is complete.

Been waiting on this security audit to switch over, glad to hear it's coming soon.

We are scheduled with Cure53 for later this year to perform a complete audit of the backend server (core), web vault, desktop apps, browser extensions, and jslib (the library that powers most of our client apps).

Any news on when it will be done? will the results be public?
Waiting for it, in order to propose it in my organization

Currently waiting for the security audit to buy my premium subscription... any update? Also is there a gofundme? I love the idea of bitwarden

Let me know if I can be of assistance, I would love to work with Cure53!

See #392 for follow-up regarding the solution to one of Cure53's findings.

:clap:

You can view Cure53 original report on their website from either the Publication section, or this direct link
https://cure53.de/pentest-report_bitwarden.pdf

Was this page helpful?
0 / 5 - 0 ratings

Related issues

jasonkuehl picture jasonkuehl  Â·  3Comments

ohthehugemanatee picture ohthehugemanatee  Â·  3Comments

theontho picture theontho  Â·  4Comments

mr-gosh picture mr-gosh  Â·  3Comments

shartge picture shartge  Â·  3Comments