Security audit about server HOT 59 CLOSED

We are scheduled with Cure53 for later this year to perform a complete audit of the backend server (core), web vault, desktop apps, browser extensions, and jslib (the library that powers most of our client apps).

from server.

We are currently in early discussions with Cure53 about completing an audit. If anyone has suggestions of other agencies, please list them and we'll consider reaching out to them as well.

from server.

An audit has been completed. See here:

https://blog.bitwarden.com/bitwarden-completes-third-party-security-audit-c1cc81b6d33

from server.

I'd pay for premium if there were a full audit.

from server.

Some news on this front, bitwarden is now working with researchers on HackerOne to find vulnerabilities in the platform. Our program is currently private but will enter public status soon. We've already resolved a few minor issues found by researchers there so far.

from server.

We are scheduled with Cure53 for later this year to perform a complete audit of the backend server (core), web vault, desktop apps, browser extensions, and jslib (the library that powers most of our client apps).

Any news on when it will be done? will the results be public?
Waiting for it, in order to propose it in my organization

from server.

Thanks for the links. We are planning to have a formal audit performed.

If anyone would like to contribute to this in some way, please contact me directly using the contact form on the bitwarden website.

from server.

Our HackerOne program has now gone public: https://hackerone.com/bitwarden

from server.

Heh, clever. Of course I meant I wouldn't contribute towards an audit either. Bitwarden is a commercial entity with a business model. I don't donate to for-profit businesses, I buy goods and services from them.

But that's just me, other people have said they would do so.

from server.

@heyitsanthony Thanks for having a look.

• SHA1 is only used in one place throughout the application, as the underlying hash of RSA OAEP padding. My understanding from discussions on this subject is that even though SHA1 on it's own has shown to be weak, it does not weaken the security of RSA OAEP (where it is spec'd as the default function). Further, SHA256 is an option for OAEP (and was actually what we originally implemented), however, we are restricted by the least common denominator of all of the platforms that we support. For example, iOS only supports OAEP with SHA1. Our code is written in a way that we can easily migrate to OAEP with SHA256 once platform support is uniform.
• Good catch. We should sign the organization key to prevent a bad actor on the server or MITM which could result in encrypting data with a forged key. We'd need to come up with a way to produce a signature from the key exchange that would work in this scenario where user's public keys and the organization's long-term AES key (encrypted) is stored on the server.

from server.

I noticed two potential issues from looking over the code:

• SHA1 OAEP as an option, despite SHA1 being regarded as weak
• AES key exchange isn't using digital signatures; it appears that a malicious server can generate its own AES keys using the client's public key, then pass them back to the user.

/cc @brianredbeard

from server.

I am looking for a cross-platform solution to replace the password manager I currently use. I would gladly pay a 'license' fee for a product like this that undergoes a review once and a while.

from server.

RedHat Enterprise Linux is open-source also. Would you donate to RedHat? How about Oracle, would you open your heart and donate to Larry Ellison's Lamborghini fund because they develop MySQL?

There is a big difference between helping out a small company trying to do something incredibly beneficial for the Open Source community such as providing an easy-to-use open source password manager for the masses . . . comparing to BILLION DOLLAR corporations.

from server.

Heh, clever. Of course I meant I wouldn't contribute towards an audit either.

I find you unreasonably negative. Bitwarden is mostly open source and I think both I and others find it useful to sometimes contribute to products that I don't use (yet).

FWIW Scott that you replied to is a professional security researcher and it seems he's already spent some unpaid time on the code.

from server.

Been waiting on this security audit to switch over, glad to hear it's coming soon.

from server.

@bcbane We are currently working to bring many of our paid features online which will allow us to start bringing in cash to fund things like a formal security audit. If all goes as planned, we should definitely have this done at some point this year.

from server.

I think @MarcReckel brings up a valid point. It would be great if there were some transparency around how much funding is needed to perform a formal security audit and how much has been raised towards that goal. To get that insight would provide more reassurance when throwing money at the project. I don't know how feasible that is, though, or if gofundme is the right platform. I mainly just want to express interest in putting funding into the project if I know that it would go towards a full audit.

from server.

Currently waiting for the security audit to buy my premium subscription... any update? Also is there a gofundme? I love the idea of bitwarden

from server.

Since many people watch this thread I just wanted to post a follow up that the potential vulnerability mentioned by @paragonie-scott earlier in this thread (which he subsequently removed) turned out not to be an issue and the related HackerOne report was closed. Though we did end up having some good discussion on the crypto implementations.

from server.

2017 is done, any status update on this? get some quotes and open some kind of "gofundme". It should help you getting there ;)

i can only speak for myself but i would participate if there is a clear goal in terms of money needed.

Best regards

from server.

I would personally never consider using this product without a security audit. My entire life is in my password manager. It isn't a throwaway decision.

I have zero interest in paying for the audit. I'd open my wallet after they pass the audit, when I would subscribe.

from server.

I would consider contributing if the project was developed and run by a non-profit foundation

Can we stop responding to people who don't understand the economics of OSS software?

don't know how feasible that is, though, or if gofundme is the right platform.

I opened a ticket for BountySource integration, which would would enable collaborative funding for any GitHub ticket.

from server.

Hi guys — Sorry for being a bit late to the party! I've just added bitwarden/core to the C# beta on LGTM.com: https://lgtm.com/projects/g/bitwarden/core/alerts

The best way (IMHO) to use LGTM, is by enabling automatic code review for pull requests. Here's an example of how that works for the team at Google (+ community) for AMPHTML: ampproject/amphtml#13060, and NASA use it for their Open-MBEE project, e.g.: Open-MBEE/exec-cameo-mdk#105. You can enable automatic code review here: https://lgtm.com/projects/g/bitwarden/core/ci/

Any questions / suggestions / comments: give me a shout! (Full disclosure: I'm part of the team that built LGTM.com 🙂)

from server.

Let me know if I can be of assistance, I would love to work with Cure53!

from server.

https://sakurity.com/securelogin
Free security audit if you implement SecureLogin.

from server.

@dralley This can be a double edged sword, especially for a small team. Project zero has a few built in control valves to force responsible disclosure. This means the entire Bitwarden team has 90 days to resolve all vulnerabilities before they become 0-days (hence the name).

@ple103 Personally, I would let that bake in a little bit more. The Sakurity team is till working through some of their own UX and security concerns from the community. I look forward to see how it goes in the long run but the guidance Make sure you write down your master password and that you never used this password before. is going to be a challenge for some people to accept.

from server.

High-Tech Bridge is launching a free 'Mobile X-Ray' service for developers that analyses native and hybrid iOS and Android apps and detects the most common weakness and vulnerabilities.
Just upload your iOS or Android mobile app to start a DAST, SAST and behavioral audit for OWASP Mobile Top 10 and other vulnerabilities.
https://www.htbridge.com/mobile/

from server.

Just throwing that out there.. I'm willing to donate to have the security audit done. It's important to me that something I rely on this much, be as secure as it can be. Thanks.

from server.

OSTIF has done audits on VeraCrypt, OpenVPN, etc.
https://ostif.org/

from server.

You can view Cure53 original report on their website from either the Publication section, or this direct link
https://cure53.de/pentest-report_bitwarden.pdf

from server.

I don't know how Google's Project Zero picks and chooses their targets for security auditing, but considering they recently did one for LastPass, it might be possible to have them take a look at Bitwarden

from server.

I was playing with SonarQube on my fork tonight. Could be a good start, but might just be a bunch of noise. If there's interest, I can clean things up and make a PR. Current report can be seen here: https://sonarcloud.io/dashboard?id=bitwarden-core

from server.

some links I came across (might be useful)

Security Automation and Risk Management for Open-Source Code
https://www.sourceclear.com/

Node Security Platform
https://nodesecurity.io/

Synk
https://snyk.io/

from server.

I would consider contributing if the project was developed and run by a non-profit foundation like Kodi and Apache. That is not the case. I don't contribute to for-profit enterprises, and am frankly amused that you think it's unreasonable.

RedHat Enterprise Linux is open-source also. Would you donate to RedHat? How about Oracle, would you open your heart and donate to Larry Ellison's Lamborghini fund because they develop MySQL?

from server.

Oh, and while I'm at it — here are the results for bitwarden/mobile: https://lgtm.com/projects/g/bitwarden/mobile/alerts/

from server.

You're welcome, @MichaelTunnell — glad to have you on board!

Someone pointed out @petervnv's comment in this issue (now a year ago) out to me, so it seemed worth setting this up. Let me know what you think!

Note that you can add your own open source projects to LGTM if you like. Just log in with Google or GitHub (or create an account), and go to "My Projects". If you have a large number of projects you'd like to add: just drop me a note and I'll do them all in one go.

from server.

So how close is Bitwarden to getting a formal security audit?

from server.

@heyitsanthony We've added support for HMAC-SHA256 signing org keys with a user's protected "mac key" (half of the 512 bit encKey). See:

5a67df6
bitwarden/web@9a7dac7
bitwarden/clients@8ff336d
bitwarden/mobile@7823ec3

This will authenticate a user's org key each time it is used, so any tampering will result in a failure during decryption. This puts the appropriate infrastructure in place, however, still leaves two scenarios open that we need to fill:

• Signing the org key after a new user is confirmed (not just for the admin user that created the org).
• Signing org keys that already exist under the Rsa2048_OaepSha256_B64 and Rsa2048_OaepSha1_B64 enc types. We'll need a migration prompt of some sort for this.

After these scenarios are resolved we can make the mac checks strictly enforced.

from server.

@davidkassa Thanks for the scan. I don't really see anything of concern in that report.

from server.

from server.

@davidkassa I'd be open to it. I created a sonarcloud account and bitwarden organization but I'm not really sure how to use it. We use appveyfor for CI builds.

from server.

from server.

This could also be helpful. Not sure you know it yet

https://lgtm.com/projects/g/bitwarden/browser/

from server.

Our HackerOne program has now gone public: https://hackerone.com/bitwarden

This is awesome news! Are you planning on a blog post or something? I think this is worth of some diffusion. Some background on how it works and what does this mean for the project, the company, etc and sharing on HN, Reddit, etc.

from server.

This is awesome news! Are you planning on a blog post or something? I think this is worth of some diffusion. Some background on how it works and what does this mean for the project, the company, etc and sharing on HN, Reddit, etc.

Nevermind: https://blog.bitwarden.com/bitwarden-launches-on-hackerone-a8acda73b1c1

from server.

Check websites for security and performance issues with Sonar (might come in handy)
Microsoft's Edge development team launched a new open source website scanner called Sonar yesterday which tests websites for security and performance issues.
https://sonarwhal.com/
https://sonarwhal.com/scanner/

Scanner throws some errors for "https://vault.bitwarden.com/"
https://sonarwhal.com/scanner/7e565752-f659-4a25-9f03-d104b4e6fa2b

from server.

@paragonie-scott Please open new issues in the appropriate repos if you think you have found something. Or you can email us privately. This issue is to discuss the need for a security audit and I don’t want it getting filled up with additional comments and discussion related to potential vulnerabilities.

from server.

I didn't see that you had a HackerOne program until just now. I sent the full details of the vulnerability/exploit there and deleted my comments above.

Sorry for the confusion here.

from server.

Echoing the sentiment here. The only thing that could entice me even more is a full audit.

from server.

Publishing an informal security model would be a good start. There are lots of bits-and-pieces on the website and in your repos, but they are pretty generic and don't go into the necessary technical detail.

from server.

I have zero interest in paying for the audit. I'd open my wallet after they pass the audit, when I would subscribe.

Paying for an audit is a tall order for any one person. Would you contribute to a crowd-fund?

from server.

Where is the project on the audit side of things? did you get quotes? set up a crowfunding?
We want to move to bitwarden from Lastpass but need an audit to be done for the solution to be qualified as mature...

from server.

@kspearrin The first step is to write out an informal security model. Have you done this?

from server.

Security audits are very expensive. Crowdfunding would make perfectly sense but the question is if security audit companies allow Bitwarden to even talk about prices. I know some forbid it...

from server.

I haven't heard of this service before, that is very cool. Thanks for sharing and setting this up. Hopefully this will help the audit. 👍

Note: for those who haven't heard of this and are curious what LGTM stands for as I was . . . LGTM = "Looks Good To Me"

from server.

WhiteSource
https://www.whitesourcesoftware.com/
Free tool checks for critical open source vulnerabilities

from server.

Very good news! I look forward to switching to Bitwarden once this is complete.

from server.

See #392 for follow-up regarding the solution to one of Cure53's findings.

from server.

👏

from server.