undefined | Better HN

0 pointssneak5y ago0 comments

Note also that the bitwarden desktop app has a remote code execution vulnerability that the developers refuse to fix, which means that the developers can, at any time, replace your local copy of the bitwarden desktop app with a different version that could steal all your passwords in exactly the manner you describe.

You can patch the bitwarden client (and also take the opportunity to remove the spyware they have embedded in it, as well), or use a program like LuLu or Little Snitch to block it from communicating with anything but your own selfhosted bitwarden_rs instance.

0 comments

dastx5y ago

Do you have more information on this? A link maybe?

EDIT: Never mind, found it - https://github.com/bitwarden/desktop/issues/552. This isn't exactly an RCE. You can say the same about anything. By your logic Microsoft auto-updates are RCE. Same with pacman/apt-get/yum package managers. Same with pretty much anything else.

I'm not saying they're not valid concerns, however, if you're this worried about all of these things, maybe cloud-based software isn't for you.

j / k navigate · click thread line to collapse

0 pointssneak5y ago0 comments

0 comments

dastx5y ago

Do you have more information on this? A link maybe?

I'm not saying they're not valid concerns, however, if you're this worried about all of these things, maybe cloud-based software isn't for you.

j / k navigate · click thread line to collapse