‘Bitwarden’ Password Manager Follows Risky Updating Practices

Published on September 22, 2020
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

Security researcher Jeffrey Paul has discovered a worrying aspect of how Bitwarden updates work and shared his thoughts on this GitHub post. According to the researcher, the popular password manager’s desktop application can automatically download updates, which is considered a security-enhancing feature.

Those updates can replace the app’s code remotely, and without ever asking the user to confirm the action, so the process works in the background without generating any alerts. For this to work, the developers of Bitwarden have full remote code execution rights over the app.

It may sound like this happens for the end-user’s convenience and safety, and many would opt to see it as such - but it comes with dire risks, without a doubt. Would you blindly trust a remote team of developers if they could plant a backdoor on your Bitwarden installation any time they chose?

We’re not saying that Bitwarden’s developers aren’t ethical or that they have ill intentions. Still, there’s always a possibility of having coercion cases, or even hacking attacks that would compromise Bitwarden’s infrastructure. This could result in all passwords and data stored in the app getting exfiltrated to the actors, whoever these may be.

As the researcher points out, anyone interested in a Bitwarden user’s secrets could kidnap a developer and threaten them, or just blackmail them remotely, or pay them to do it. There are many ways to “convince” a developer to plant a backdoor onto the computer of a specific target. Or even better, steal all data from the entire Bitwarden userbase at once by simply sending out a malicious update. Until the rest of the team realizes and reverses the action, everything will be already gone.

Bitwarden has responded to these allegations by saying that they see auto-updating as an integral and critical security component that 99.9% of its userbase appreciates. They also pointed out that there has never been a case where anything nasty was introduced by these auto-updates - which, for them, proves that there’s no risk or suspicious intentions. These updates go through a ‘testing, review, and approval’ process, so no single developer can send them out independently of the rest of the team.

Moreover, Bitwarden reassured its users that its products and services are vigorously tested by third-party auditors, although this wouldn’t include updates, of course. Finally, they promised to add a way for users to toggle automatic updates to “off,” taking the risk themselves if they prefer it that way.

Read More:



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: