15 votes

Bitwarden Completes Third-party Security Audit

1 comment

  1. JamesTeaKirk
    Link
    So Bitwarden says : But the pen-testers are a bit less enthusiastic: Bitwarden seems to claim that the solutions posed by the pen-testers for the two "critical" issues brought to them are...

    So Bitwarden says :

    Some issues are informational and no action is currently planned or necessary. We are happy to report that no major issues were identified during this audit and that all impactful issues have already been resolved in recent Bitwarden application updates.

    But the pen-testers are a bit less enthusiastic:

    All in all, while the client and backend code are vulnerable to some issues, all of the
    problems can be easily fixed without a lot of effort. In that sense, Cure53 believes these
    items of the Bitwarden scope to be fully capable of reaching the desired standards of
    security in a rather short time. To reiterate, the results of this autumn 2018 assessment
    are positive for the client and code. Sadly, the same thing cannot be stated for the
    current cryptographic scheme in use. Given the number and range of issues discovered,
    it seems necessary that a re-design takes place. This needs to reassess how certain features are implemented and ensure that the overall cryptography stands strong
    against the attackers’ efforts.

    Bitwarden seems to claim that the solutions posed by the pen-testers for the two "critical" issues brought to them are infeasible for various reasons relating to the existing design of bitwarden and the impact the solutions would have on users time/data

    11 votes