Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain
74 points by knedl
74 points by knedl
If you're in the password manager business, is there a point where you decide that github actions isn't worth the risk?
No kidding. This makes me want to move off bitwarden back to 1password. I've felt increasingly uneasy with bitwarden (the app has a few glitches that have made me freak out a few times thinking I was pwned) so this is close to the, if not the, final nail in the coffin.
Same. I've found it hard to get over how history for items and passwords is half-done.
Frankly, the only thing holding me back is that 1Password 8 refuses to work in Firefox Private Browser mode. So … I guess I'm one of the people who are mad about 1Password 8. 😔
That's not my experience, but I am aware they have strong opinions about "trusted" browsers - is your Firefox installed by your package manager?
I also just realized I should qualify my report that my usage is always with the desktop app, and the extension connects to it. I've not tried running just the extension so that could be a meaningful difference
Also you're for sure not the only person mad about 8 but I have given other ones a fair shot and regardless of how much AgileBits hates their users, the execution is worth it
I feel a bit embarrassed having moved my immediate family over to Bitwarden - it just is not very user friendly. In order to have sharing features on your family plan you have to create an "organization", which is not exactly intuitive. Not a huge deal but little papercuts like that are all over.
Also it chokes on login forms where the password field is only shown after you submit your username/email. This drives me bonkers. Autofill is especially terrible on Firefox for Android IME.
Edit to add: if 1Password was open source I would have picked it literally in a heartbeat. But it's not, so I'm not sure what to do :(
Same boat. Would rather it be OSS. But at least their bottom line is to keep things secure, else they'd have a huge hit in profits. I'm okay paying for that work, as to my knowledge they haven't had a major security incident in recent memory.
Paying for security is my stance too. (And for UI polish, but first things first!) OSS would be even better, but it seems like 1Password has done their security homework; I was impressed by the level of technical detail in their Security Design whitepaper. To make a SimCity 2000 reference, skimping on security is a "YOU WILL REGRET THIS" decision.
Overall I'm not completely happy with having to pay for security—not because of 1Password, but because of an underlying belief that security ought to be free. But I need to buy it, it's for sale, and apparently it's worth buying.
If you're into selfhosting, there are some contenders. I've been looking at Passbolt (https://www.passbolt.com/) since I heard about them after FOSDEM 2024. They had a talk there that I seem to remember I found pretty interesting: https://archive.fosdem.org/2024/schedule/event/fosdem-2024-2181-passbolt-open-source-password-manager-for-teams/
Agree - this is a business where you absolutely cannot afford to be compromised. You can't just ship software like any other company does, you must have a risk appropriate SDLC.
This should be a company ending event - it easily could be for customers affected.
This should be a company ending event
Emphasis on "should". LastPass got hacked in 2022 with losses of millions of dollars (and a class action for $24.5 million, which was almost certainly less than actual losses). And they're still around! Relative to that, Bitwarden's compromise of fewer than 200 users seems like nothing.
I feel like we as an industry have extremely overestimated the value of zero-click package releases.
I am very much for almost all parts of package release prep to be automated. But can we just say "you gotta click a button to release a thing at the last step", along with some 2FA?
The whole way that GitHub handles forks so that commits in forks also appear "valid" (at most a warning on the website) in upstream makes it nigh on impossible to verify it's from a trusted source. Seems to be a very common theme in these attacks...
Their statement bizarrely gives no guidance to the 334 people who downloaded the malware. Oof.
Not that the statement is great, but I don't think that's actually that many people. A lot of bots download all npm packages, and even if they didn't, I still don't think that's a ton of people compared to the presumable general install base.
But yeah, they still probably should have provided some advice. Or at minimum, "we're still investigating and will have instructions as soon as possible".
Oof, putting this on the community forum/website gives off a weird vibe. Not even a blog post with a follow up later on.
Scary.
Supply chain attacks on password managers are why I make sure high value credentials are hardware backed.
In practice for me that's passkey or TOTP via yubikey, but sadly banking sites often don't support them, so I resort to using https://github.com/str4d/age-plugin-yubikey. That's pretty inconvenient at times though, since there's no good mobile solution.
I realise my solution is a bit extreme. Where do "less paranoid" people store their banking passwords?