If someone compromise bitwarden infrastructure can (and probably will) silently release a “new” minor version of app and webapp so that every master password is sent to him, and then decipher passwords.
It will last only some hours at worst but will still collect a lot of passwords.
That’s only thing I’m worries about, but I still use bitwarden as I think my passwords being compromised in this evenience as nearly impossible
It absolutely shouldn’t be possible compromised or not for someone who has gained unlawful access to start pushing malicious code to production as long as proper security is in place
It shouldn’t be possible to break any service but hackers do that daily.
If proper security is in place they will need some 0day exploits, but it’s not impossible, just extremely difficult
Bro, what I said is that an attacker who someways get access to production, can push modified source code that send cleartext password to him before everything else.
If someone compromise bitwarden infrastructure can (and probably will) silently release a “new” minor version of app and webapp so that every master password is sent to him, and then decipher passwords.
It will last only some hours at worst but will still collect a lot of passwords.
That’s only thing I’m worries about, but I still use bitwarden as I think my passwords being compromised in this evenience as nearly impossible
It absolutely shouldn’t be possible compromised or not for someone who has gained unlawful access to start pushing malicious code to production as long as proper security is in place
It shouldn’t be possible to break any service but hackers do that daily. If proper security is in place they will need some 0day exploits, but it’s not impossible, just extremely difficult
Bitwarden is open source. You can see all the code for yourself: https://github.com/bitwarden
I know, but that won’t change the eventuality I described
Password is hashed locally. Only already hashed password is trasmitted over the internet.
Bro, what I said is that an attacker who someways get access to production, can push modified source code that send cleartext password to him before everything else.