Add info tooltip for BitWarden to recommend registering through desktop clients #2329
Open
lrq3000 wants to merge 2 commits from
lrq3000/bitwarden-tip into master
pull from: lrq3000/bitwarden-tip
merge into: privacyguides:master
privacyguides:master
privacyguides:dependabot/bundler/nokogiri-1.13.6
privacyguides:dependabot/bundler/addressable-2.8.0
privacyguides:freddy-m-patch-3
privacyguides:pr-add_RemoveMyPhone_sponsor
privacyguides:pr-browser_cleanup_1257_1328_1430
privacyguides:freddy-m-patch-2
privacyguides:freddy-m-patch-1
privacyguides:pr-vpn_hated_one_video
privacyguides:cdn
privacyguides:update-nitrohorse-image
privacyguides:promote-metager-to-card
privacyguides:hardware
privacyguides:pr-add_azirevpn
privacyguides:pr-add_mailfence
privacyguides:shop
privacyguides:1673
privacyguides:pr/1658
privacyguides:i18n-simple
privacyguides:sponsorship-edits-nov2019
privacyguides:i18n
privacyguides:ipfs
privacyguides:blacklight447-ptio-patch-3
privacyguides:blog
privacyguides:remove-windows-icons
privacyguides:pr/1147
privacyguides:i18n-testing
privacyguides:add-beautify
No Reviewers
Labels
Clear labels
🔍🤖 Search Engines
approved
approved, waiting for a PR
dependencies
Pull requests that update a dependency file
duplicate
feedback wanted
high priority
I2P
The Invisible Internet Project (I2P)
iOS
low priority
OS
Operating Systems
Self-contained networks
Social media
stale
A label for stalebot if it gets added
streaming
Anything related to media streaming.
todo
Tor
Anything covering the Tor network
WIP
active work in progress, do not merge or PR (yet)!
wontfix
Issues or bugs that will not be fixed and/or do not have significant impact on the project.
XMPP
Extensible Messaging and Presence Protocol
[m]
Matrix protocol
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
Browser Extension related issues
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
Correction of content on the website
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
Firefox & forks, about:config etc.
💻 hardware
🌐 hosting
🏠 housekeeping
Anything primarily related to site cleanup.
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
Virtual Private Network
🌐 website issue
*Technical* issues with the website.
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
Domain Name System
🗨️ instant messaging (im)
🇦🇶 translations
Anything covering a translated version of the site
No Label
Milestone
No items
No Milestone
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#2329
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
No description provided.
Delete Branch "lrq3000/bitwarden-tip"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Description
Resolves: Suggestion by @ThracianKnight1907 at https://github.com/privacytools/privacytools.io/issues/1915#issuecomment-628417380
Check List
I understand that by not opening an issue about a software/service/similar addition/removal, this pull request will be closed without merging.
I have read and understand the contributing guidelines.
The project is Free Libre and/or Open Source Software
LGTM
I don't understand that point.
Bitwarden would use a malicious javascript to get the account password from someone signing IN, because he could have some important passwords saved.
But to sign UP using the client, is not important because you already don't have passwords in your account, you're about to make an account.
So the info added should be: Avoid signin in your Bitwared account using the browser. Sign up, set up your 2FA and never sign in again. Or am I missing something?
It's not bitwarden the issue but keyloggers in malicious browser's
extensions for example. But yes i should also add sign is using app or
extension, thank you for the suggestion.
Le mer. 9 juin 2021 à 02:19, youdontneedtoknow22 @.***>
a écrit :
If the Issue is a keylogger inside the browser, then the whole discussion with the jurisdiction of Bitwarden isn't relevant any more. I believe our friend there was refering to Bitwarden using a malicious javascript to steal the login information for a specific user, done by bitwarden. US Companies maybe forced to do such thing (Lavabit and Snowden Story)
Tbh I'm neither familiar with Keyloggers inside browser's addons nor Bitwarden (I use KeypassXC and Firefox Lockwise). I installed Bitwarden addon and 2 Keylogger Addons (not malicious, their job is literally to log keystrokes inside the browser). Those were:
Takker: https://addons.mozilla.org/en-US/firefox/addon/tackker-online-keylogger-tool/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search
Nifty Keylogger: https://addons.mozilla.org/en-US/firefox/addon/tackker-online-keylogger-tool/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search
Takker could log what I type in the urlbar and what I type inside a website. Nifty Keylogger logged only what I typed inside the website.
Both couldn't log what I typed inside the Bitwarden Addon. So I don't believe we should recommend signin in using the addon for this reason, but rather avoid signing in using the Bitwarden webvault to avoid potential malicious javascripts.
Yes the original suggestion was made in the context of Bitwarden being compromised, but this suggestion is also beneficial for other threats such as keyloggers as you tested, so I think the variety of issues that this tip solves is a good argument to add it, that's why I made this PR :-)
About sign-in, are these keyloggers able to capture autofilled passwords by Bitwarden plug-in? Because that's why I thought the plug-in was safer, and intended to add another tip about.
/EDIT: Oh wow, Tackker on Chrome can indeed capture autofilled passwords. It can also capture copy/pasted credentials.
I have updated the tip per our discussion above. Please re-evaluate it.
Yup, I belive this fixes the issue with the potential malicious javascripts.
not relevant to Bitwarden but:
if one wants also to avoid keyloggers and other malicious stuff in firefox addons, they should just use the Addons with the recommended Badge on them (covers pretty much every aspect, like donwloading Youtube videos, Blocking ads, sticky notes, etc..). These will always be checked by mozilla developers, each update for their source code as well. So they would be secure (less vulnerabilites and less attack surface) and private (don't have malicious components like keyloggers).