New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security audit #27

Closed
fredericmohr opened this Issue Jan 19, 2017 · 59 comments

Comments

@fredericmohr
Copy link

fredericmohr commented Jan 19, 2017

Not sure in which repository this belongs, probably in all of them. Bitwarden should get a security audit to find and squash any security issues that might hide somewhere. Obviously there is the problem of financing, so maybe this can be of help. Doesn't hurt to try it, right?

https://blog.mozilla.org/blog/2016/06/09/help-make-open-source-secure/
https://docs.google.com/forms/d/e/1FAIpQLScLwANEOvLBE6gnFVoiamqHOYzzkaChpdQJ7f0PlZGmfyy94w/viewform
https://wiki.mozilla.org/MOSS/Secure_Open_Source

@kspearrin

This comment has been minimized.

Copy link
Collaborator

kspearrin commented Jan 19, 2017

Thanks for the links. We are planning to have a formal audit performed.

If anyone would like to contribute to this in some way, please contact me directly using the contact form on the bitwarden website.

@bcbane

This comment has been minimized.

Copy link

bcbane commented Mar 23, 2017

So how close is Bitwarden to getting a formal security audit?

@kspearrin

This comment has been minimized.

Copy link
Collaborator

kspearrin commented Mar 23, 2017

@bcbane We are currently working to bring many of our paid features online which will allow us to start bringing in cash to fund things like a formal security audit. If all goes as planned, we should definitely have this done at some point this year.

@heyitsanthony

This comment has been minimized.

Copy link

heyitsanthony commented Jun 15, 2017

I noticed two potential issues from looking over the code:

  • SHA1 OAEP as an option, despite SHA1 being regarded as weak
  • AES key exchange isn't using digital signatures; it appears that a malicious server can generate its own AES keys using the client's public key, then pass them back to the user.

/cc @brianredbeard

@kspearrin

This comment has been minimized.

Copy link
Collaborator

kspearrin commented Jun 16, 2017

@heyitsanthony Thanks for having a look.

  • SHA1 is only used in one place throughout the application, as the underlying hash of RSA OAEP padding. My understanding from discussions on this subject is that even though SHA1 on it's own has shown to be weak, it does not weaken the security of RSA OAEP (where it is spec'd as the default function). Further, SHA256 is an option for OAEP (and was actually what we originally implemented), however, we are restricted by the least common denominator of all of the platforms that we support. For example, iOS only supports OAEP with SHA1. Our code is written in a way that we can easily migrate to OAEP with SHA256 once platform support is uniform.
  • Good catch. We should sign the organization key to prevent a bad actor on the server or MITM which could result in encrypting data with a forged key. We'd need to come up with a way to produce a signature from the key exchange that would work in this scenario where user's public keys and the organization's long-term AES key (encrypted) is stored on the server.
@dralley

This comment has been minimized.

Copy link

dralley commented Jun 18, 2017

I don't know how Google's Project Zero picks and chooses their targets for security auditing, but considering they recently did one for LastPass, it might be possible to have them take a look at Bitwarden

@ple103

This comment has been minimized.

Copy link

ple103 commented Jun 18, 2017

https://sakurity.com/securelogin
Free security audit if you implement SecureLogin.

@brianredbeard

This comment has been minimized.

Copy link

brianredbeard commented Jun 18, 2017

@dralley This can be a double edged sword, especially for a small team. Project zero has a few built in control valves to force responsible disclosure. This means the entire Bitwarden team has 90 days to resolve all vulnerabilities before they become 0-days (hence the name).

@ple103 Personally, I would let that bake in a little bit more. The Sakurity team is till working through some of their own UX and security concerns from the community. I look forward to see how it goes in the long run but the guidance Make sure you write down your master password and that you never used this password before. is going to be a challenge for some people to accept.

@kspearrin

This comment has been minimized.

Copy link
Collaborator

kspearrin commented Jun 19, 2017

@heyitsanthony We've added support for HMAC-SHA256 signing org keys with a user's protected "mac key" (half of the 512 bit encKey). See:

5a67df6
bitwarden/web@9a7dac7
bitwarden/browser@8ff336d
bitwarden/mobile@7823ec3

This will authenticate a user's org key each time it is used, so any tampering will result in a failure during decryption. This puts the appropriate infrastructure in place, however, still leaves two scenarios open that we need to fill:

  • Signing the org key after a new user is confirmed (not just for the admin user that created the org).
  • Signing org keys that already exist under the Rsa2048_OaepSha256_B64 and Rsa2048_OaepSha1_B64 enc types. We'll need a migration prompt of some sort for this.

After these scenarios are resolved we can make the mac checks strictly enforced.

@davidkassa

This comment has been minimized.

Copy link

davidkassa commented Aug 3, 2017

I was playing with SonarQube on my fork tonight. Could be a good start, but might just be a bunch of noise. If there's interest, I can clean things up and make a PR. Current report can be seen here: https://sonarcloud.io/dashboard?id=bitwarden-core

@kspearrin

This comment has been minimized.

Copy link
Collaborator

kspearrin commented Aug 4, 2017

@davidkassa Thanks for the scan. I don't really see anything of concern in that report.

@davidkassa

This comment has been minimized.

Copy link

davidkassa commented Aug 4, 2017

@kspearrin

This comment has been minimized.

Copy link
Collaborator

kspearrin commented Aug 4, 2017

@davidkassa I'd be open to it. I created a sonarcloud account and bitwarden organization but I'm not really sure how to use it. We use appveyfor for CI builds.

@davidkassa

This comment has been minimized.

Copy link

davidkassa commented Aug 4, 2017

@petervnv

This comment has been minimized.

Copy link

petervnv commented Sep 16, 2017

This could also be helpful. Not sure you know it yet

https://lgtm.com/projects/g/bitwarden/browser/

@kspearrin

This comment has been minimized.

Copy link
Collaborator

kspearrin commented Sep 16, 2017

Some news on this front, bitwarden is now working with researchers on HackerOne to find vulnerabilities in the platform. Our program is currently private but will enter public status soon. We've already resolved a few minor issues found by researchers there so far.

@Moxville

This comment has been minimized.

Copy link

Moxville commented Sep 19, 2017

some links I came across (might be useful)

Security Automation and Risk Management for Open-Source Code
https://www.sourceclear.com/

Node Security Platform
https://nodesecurity.io/

Synk
https://snyk.io/

@kspearrin kspearrin changed the title Bitwarden security audit Security audit Oct 2, 2017

@kspearrin

This comment has been minimized.

Copy link
Collaborator

kspearrin commented Oct 2, 2017

Our HackerOne program has now gone public: https://hackerone.com/bitwarden

@stefanmaric

This comment has been minimized.

Copy link

stefanmaric commented Oct 2, 2017

Our HackerOne program has now gone public: https://hackerone.com/bitwarden

This is awesome news! Are you planning on a blog post or something? I think this is worth of some diffusion. Some background on how it works and what does this mean for the project, the company, etc and sharing on HN, Reddit, etc.

@stefanmaric

This comment has been minimized.

Copy link

stefanmaric commented Oct 2, 2017

This is awesome news! Are you planning on a blog post or something? I think this is worth of some diffusion. Some background on how it works and what does this mean for the project, the company, etc and sharing on HN, Reddit, etc.

Nevermind: https://blog.bitwarden.com/bitwarden-launches-on-hackerone-a8acda73b1c1

@Moxville

This comment has been minimized.

Copy link

Moxville commented Oct 12, 2017

High-Tech Bridge is launching a free 'Mobile X-Ray' service for developers that analyses native and hybrid iOS and Android apps and detects the most common weakness and vulnerabilities.
Just upload your iOS or Android mobile app to start a DAST, SAST and behavioral audit for OWASP Mobile Top 10 and other vulnerabilities.
https://www.htbridge.com/mobile/

@Moxville

This comment has been minimized.

Copy link

Moxville commented Oct 27, 2017

Check websites for security and performance issues with Sonar (might come in handy)
Microsoft's Edge development team launched a new open source website scanner called Sonar yesterday which tests websites for security and performance issues.
https://sonarwhal.com/
https://sonarwhal.com/scanner/

Scanner throws some errors for "https://vault.bitwarden.com/"
https://sonarwhal.com/scanner/7e565752-f659-4a25-9f03-d104b4e6fa2b

@kspearrin

This comment has been minimized.

Copy link
Collaborator

kspearrin commented Jan 18, 2018

@paragonie-scott Please open new issues in the appropriate repos if you think you have found something. Or you can email us privately. This issue is to discuss the need for a security audit and I don’t want it getting filled up with additional comments and discussion related to potential vulnerabilities.

@paragonie-scott

This comment has been minimized.

Copy link

paragonie-scott commented Jan 18, 2018

I didn't see that you had a HackerOne program until just now. I sent the full details of the vulnerability/exploit there and deleted my comments above.

Sorry for the confusion here.

@kspearrin

This comment has been minimized.

Copy link
Collaborator

kspearrin commented Jan 18, 2018

Since many people watch this thread I just wanted to post a follow up that the potential vulnerability mentioned by @paragonie-scott earlier in this thread (which he subsequently removed) turned out not to be an issue and the related HackerOne report was closed. Though we did end up having some good discussion on the crypto implementations.

@MarcReckel

This comment has been minimized.

Copy link

MarcReckel commented Jan 18, 2018

2017 is done, any status update on this? get some quotes and open some kind of "gofundme". It should help you getting there ;)

i can only speak for myself but i would participate if there is a clear goal in terms of money needed.

Best regards

@mike-of-earth

This comment has been minimized.

Copy link

mike-of-earth commented Jan 27, 2018

I am looking for a cross-platform solution to replace the password manager I currently use. I would gladly pay a 'license' fee for a product like this that undergoes a review once and a while.

@JSN190

This comment has been minimized.

Copy link

JSN190 commented Feb 10, 2018

Echoing the sentiment here. The only thing that could entice me even more is a full audit.

@paragonie-scott

This comment has been minimized.

Copy link

paragonie-scott commented Apr 12, 2018

I have zero interest in paying for the audit. I'd open my wallet after they pass the audit, when I would subscribe.

Paying for an audit is a tall order for any one person. Would you contribute to a crowd-fund?

@rodalpho

This comment has been minimized.

Copy link

rodalpho commented Apr 13, 2018

Heh, clever. Of course I meant I wouldn't contribute towards an audit either. Bitwarden is a commercial entity with a business model. I don't donate to for-profit businesses, I buy goods and services from them.

But that's just me, other people have said they would do so.

@eitland

This comment has been minimized.

Copy link

eitland commented May 23, 2018

Heh, clever. Of course I meant I wouldn't contribute towards an audit either.

I find you unreasonably negative. Bitwarden is mostly open source and I think both I and others find it useful to sometimes contribute to products that I don't use (yet).

FWIW Scott that you replied to is a professional security researcher and it seems he's already spent some unpaid time on the code.

@rodalpho

This comment has been minimized.

Copy link

rodalpho commented May 25, 2018

I would consider contributing if the project was developed and run by a non-profit foundation like Kodi and Apache. That is not the case. I don't contribute to for-profit enterprises, and am frankly amused that you think it's unreasonable.

RedHat Enterprise Linux is open-source also. Would you donate to RedHat? How about Oracle, would you open your heart and donate to Larry Ellison's Lamborghini fund because they develop MySQL?

@MichaelTunnell

This comment has been minimized.

Copy link

MichaelTunnell commented Jun 22, 2018

RedHat Enterprise Linux is open-source also. Would you donate to RedHat? How about Oracle, would you open your heart and donate to Larry Ellison's Lamborghini fund because they develop MySQL?

There is a big difference between helping out a small company trying to do something incredibly beneficial for the Open Source community such as providing an easy-to-use open source password manager for the masses . . . comparing to BILLION DOLLAR corporations.

@imakiro

This comment has been minimized.

Copy link

imakiro commented Jul 9, 2018

Where is the project on the audit side of things? did you get quotes? set up a crowfunding?
We want to move to bitwarden from Lastpass but need an audit to be done for the solution to be qualified as mature...

@indolering

This comment has been minimized.

Copy link

indolering commented Jul 10, 2018

I would consider contributing if the project was developed and run by a non-profit foundation

Can we stop responding to people who don't understand the economics of OSS software?

don't know how feasible that is, though, or if gofundme is the right platform.

I opened a ticket for BountySource integration, which would would enable collaborative funding for any GitHub ticket.

@indolering

This comment has been minimized.

Copy link

indolering commented Jul 10, 2018

@kspearrin The first step is to write out an informal security model. Have you done this?

@devonjohnjames

This comment has been minimized.

Copy link

devonjohnjames commented Jul 15, 2018

Security audits are very expensive. Crowdfunding would make perfectly sense but the question is if security audit companies allow Bitwarden to even talk about prices. I know some forbid it...

@kspearrin

This comment has been minimized.

Copy link
Collaborator

kspearrin commented Jul 17, 2018

We are currently in early discussions with Cure53 about completing an audit. If anyone has suggestions of other agencies, please list them and we'll consider reaching out to them as well.

@squirrelboot

This comment has been minimized.

Copy link

squirrelboot commented Aug 1, 2018

Just throwing that out there.. I'm willing to donate to have the security audit done. It's important to me that something I rely on this much, be as secure as it can be. Thanks.

@Moxville

This comment has been minimized.

Copy link

Moxville commented Aug 4, 2018

OSTIF has done audits on VeraCrypt, OpenVPN, etc.
https://ostif.org/

@sjvs

This comment has been minimized.

Copy link

sjvs commented Aug 6, 2018

Hi guys — Sorry for being a bit late to the party! I've just added bitwarden/core to the C# beta on LGTM.com: https://lgtm.com/projects/g/bitwarden/core/alerts

The best way (IMHO) to use LGTM, is by enabling automatic code review for pull requests. Here's an example of how that works for the team at Google (+ community) for AMPHTML: ampproject/amphtml#13060, and NASA use it for their Open-MBEE project, e.g.: Open-MBEE/mdk#105. You can enable automatic code review here: https://lgtm.com/projects/g/bitwarden/core/ci/

Any questions / suggestions / comments: give me a shout! (Full disclosure: I'm part of the team that built LGTM.com 🙂)

@sjvs

This comment has been minimized.

Copy link

sjvs commented Aug 6, 2018

Oh, and while I'm at it — here are the results for bitwarden/mobile: https://lgtm.com/projects/g/bitwarden/mobile/alerts/

@MichaelTunnell

This comment has been minimized.

Copy link

MichaelTunnell commented Aug 6, 2018

I haven't heard of this service before, that is very cool. Thanks for sharing and setting this up. Hopefully this will help the audit. 👍

Note: for those who haven't heard of this and are curious what LGTM stands for as I was . . . LGTM = "Looks Good To Me"

@sjvs

This comment has been minimized.

Copy link

sjvs commented Aug 7, 2018

You're welcome, @MichaelTunnell — glad to have you on board!

Someone pointed out @petervnv's comment in this issue (now a year ago) out to me, so it seemed worth setting this up. Let me know what you think!

Note that you can add your own open source projects to LGTM if you like. Just log in with Google or GitHub (or create an account), and go to "My Projects". If you have a large number of projects you'd like to add: just drop me a note and I'll do them all in one go.

@Moxville

This comment has been minimized.

Copy link

Moxville commented Aug 9, 2018

WhiteSource
https://www.whitesourcesoftware.com/
Free tool checks for critical open source vulnerabilities

@kspearrin

This comment has been minimized.

Copy link
Collaborator

kspearrin commented Aug 17, 2018

We are scheduled with Cure53 for later this year to perform a complete audit of the backend server (core), web vault, desktop apps, browser extensions, and jslib (the library that powers most of our client apps).

@rodalpho

This comment has been minimized.

Copy link

rodalpho commented Aug 17, 2018

Very good news! I look forward to switching to Bitwarden once this is complete.

@Fwardalonious

This comment has been minimized.

Copy link

Fwardalonious commented Aug 19, 2018

Been waiting on this security audit to switch over, glad to hear it's coming soon.

@lordraiden

This comment has been minimized.

Copy link

lordraiden commented Sep 21, 2018

We are scheduled with Cure53 for later this year to perform a complete audit of the backend server (core), web vault, desktop apps, browser extensions, and jslib (the library that powers most of our client apps).

Any news on when it will be done? will the results be public?
Waiting for it, in order to propose it in my organization

@JackHyland

This comment has been minimized.

Copy link

JackHyland commented Oct 9, 2018

Currently waiting for the security audit to buy my premium subscription... any update? Also is there a gofundme? I love the idea of bitwarden

@indolering

This comment has been minimized.

Copy link

indolering commented Oct 20, 2018

Let me know if I can be of assistance, I would love to work with Cure53!

@kspearrin

This comment has been minimized.

Copy link
Collaborator

kspearrin commented Nov 12, 2018

An audit has been completed. See here:

https://blog.bitwarden.com/bitwarden-completes-third-party-security-audit-c1cc81b6d33

@kspearrin kspearrin closed this Nov 12, 2018

@paragonie-scott

This comment has been minimized.

Copy link

paragonie-scott commented Nov 12, 2018

See #392 for follow-up regarding the solution to one of Cure53's findings.

@steamp0rt

This comment has been minimized.

Copy link

steamp0rt commented Nov 12, 2018

👏

@timemaster67

This comment has been minimized.

Copy link

timemaster67 commented Nov 15, 2018

You can view Cure53 original report on their website from either the Publication section, or this direct link
https://cure53.de/pentest-report_bitwarden.pdf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment