
Bitwarden password manager grants full RCE to Bitwarden developers - sneak
https://github.com/bitwarden/desktop/issues/552
======
ufmace
Characterizing an auto-update system as a RCE for the product's developers is
an absurd exaggeration IMO. Most of the security world seems to consider
automatic updates to be a good thing so that actual vulnerabilities get fixed
rapidly across the whole install base.

What is the recommended resolution here anyways? An alert for the updates that
the user can refuse? I think real-world data suggests that, if there actually
was a backdoored update, that would be a terrible way of dealing with it.

~~~
silica
but, automatic updates are by definition RCE since there downloading code
remotely and executing it ;)

------
floatboth
As if any developer couldn't be coerced to insert malicious backdoors into
builds for App Stores. Or _any_ update channel really, even DVDs and carrier
pigeons.

Literally all software, the whole concept of binary distribution is "RCE" by
this definition.

The only difference is that custom auto updates and the web make it much
easier to roll out a backdoor in a _targeted_ way rather than en masse.. Is it
a huge difference? Meh.

------
BrandoElFollito
The thing that is really scary is that OP runs a security company.

His bug report is so wrong that it is comical. I hope he runs an OS he wrote
himself (or reviewed every line of) and apps he wrote himself (or reviewed
every line of).

Sadly he uses Bitwarden that he did not write, but hopefully he reviewes all
the patches himself.

What should do a scratch or COBOL coder like myself? Certainty not trust him
or anyone else, the patch is probably backdoored.

I will use a piece of paper to write my passwords then.

The bug report is pathetic for someone who does security, I made a note to
never use his company. Not because they are bad but because his report shows
that he has no idea how to approach risk assessments.

------
Ancapistani
Note that the username of the submitter here is the same as the username of
the author of the GitHub issue.

------
solarkraft
Thanks for being so alarmistic. It really is a security vulnerability.

FWIW I mostly use the Firefox extension and disabled automatic updates for
that.

------
elliotpage
This title is really overblown, its someone complaining about the update
mechanism, woop de doo.

