Skip to content
This repository has been archived by the owner on Jun 24, 2022. It is now read-only.

Add info tooltip for BitWarden to recommend registering through desktop clients #2329

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

lrq3000
Copy link
Contributor

@lrq3000 lrq3000 commented Jun 2, 2021

Description

Resolves: Suggestion by @ThracianKnight1907 at #1915 (comment)

Check List

  • I understand that by not opening an issue about a software/service/similar addition/removal, this pull request will be closed without merging.

  • I have read and understand the contributing guidelines.

  • The project is Free Libre and/or Open Source Software

  • Netlify preview for the mainly edited page:

…op clients than the website

Signed-off-by: Stephen L. <[email protected]>
@lrq3000 lrq3000 requested a review from a team as a code owner June 2, 2021 15:46
freddy-m
freddy-m previously approved these changes Jun 3, 2021
Copy link
Contributor

@freddy-m freddy-m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@youdontneedtoknow22
Copy link

I don't understand that point.
Bitwarden would use a malicious javascript to get the account password from someone signing IN, because he could have some important passwords saved.
But to sign UP using the client, is not important because you already don't have passwords in your account, you're about to make an account.
So the info added should be: Avoid signin in your Bitwared account using the browser. Sign up, set up your 2FA and never sign in again. Or am I missing something?

@lrq3000
Copy link
Contributor Author

lrq3000 commented Jun 9, 2021 via email

@youdontneedtoknow22
Copy link

youdontneedtoknow22 commented Jun 9, 2021

It's not bitwarden the issue but keyloggers in malicious browser's extensions for example. But yes i should also add sign is using app or extension, thank you for the suggestion. Le mer. 9 juin 2021 à 02:19, youdontneedtoknow22 @.***> a écrit :

If the Issue is a keylogger inside the browser, then the whole discussion with the jurisdiction of Bitwarden isn't relevant any more. I believe our friend there was refering to Bitwarden using a malicious javascript to steal the login information for a specific user, done by bitwarden. US Companies maybe forced to do such thing (Lavabit and Snowden Story)

Tbh I'm neither familiar with Keyloggers inside browser's addons nor Bitwarden (I use KeypassXC and Firefox Lockwise). I installed Bitwarden addon and 2 Keylogger Addons (not malicious, their job is literally to log keystrokes inside the browser). Those were:
Takker: https://addons.mozilla.org/en-US/firefox/addon/tackker-online-keylogger-tool/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search
Nifty Keylogger: https://addons.mozilla.org/en-US/firefox/addon/tackker-online-keylogger-tool/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search

Takker could log what I type in the urlbar and what I type inside a website. Nifty Keylogger logged only what I typed inside the website.
Both couldn't log what I typed inside the Bitwarden Addon. So I don't believe we should recommend signin in using the addon for this reason, but rather avoid signing in using the Bitwarden webvault to avoid potential malicious javascripts.

@lrq3000
Copy link
Contributor Author

lrq3000 commented Jun 9, 2021

Yes the original suggestion was made in the context of Bitwarden being compromised, but this suggestion is also beneficial for other threats such as keyloggers as you tested, so I think the variety of issues that this tip solves is a good argument to add it, that's why I made this PR :-)

About sign-in, are these keyloggers able to capture autofilled passwords by Bitwarden plug-in? Because that's why I thought the plug-in was safer, and intended to add another tip about.

/EDIT: Oh wow, Tackker on Chrome can indeed capture autofilled passwords. It can also capture copy/pasted credentials.

@lrq3000
Copy link
Contributor Author

lrq3000 commented Jun 9, 2021

I have updated the tip per our discussion above. Please re-evaluate it.

@youdontneedtoknow22
Copy link

Yup, I belive this fixes the issue with the potential malicious javascripts.

not relevant to Bitwarden but:
if one wants also to avoid keyloggers and other malicious stuff in firefox addons, they should just use the Addons with the recommended Badge on them (covers pretty much every aspect, like donwloading Youtube videos, Blocking ads, sticky notes, etc..). These will always be checked by mozilla developers, each update for their source code as well. So they would be secure (less vulnerabilites and less attack surface) and private (don't have malicious components like keyloggers).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants