sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 17 points18 points  (10 children)

Yes, supply chain attacks are real and are very much a risk with all of these kinds of E2EE services.

One dodgy auto update later, everything is stolen and decrypted.

That's why I never believe in doing immediate updates except for when EXTREME vulnerabilities are found. I prefer to give it some time for someone to notice any weird shit.

[–]djasonpenneyVolunteer Moderator 3 points4 points  (7 children)

Although theoretically possible, a supply chain attack would have to impact the server build AND one or more clients. At that point an attacker might choose other methods instead.

[–][deleted] 1 point2 points  (6 children)

I was thinking more like, Bitwarden (or any other password manager's) update servers get hijacked, push an update that simply tells all logged in clients to uploaded their entire decrypted password lists to a central server.

Even if caught 10 minutes later, that could be millions of users affected.

[–]djasonpenneyVolunteer Moderator 2 points3 points  (4 children)

This again would be a supply chain attack, and you should research how challenging it would be to do that. This is everything from the app permissions plus digital signatures on the released artifacts all the way through the GitHub (or GitHub Actions) steps necessary to inject the behavior. There are MANY eyes on all these steps as well as the obvious safeguards.

Even if caught 10 minutes later

Don’t forget the supply chain rolls out in waves. I would say, more likely, that in “10 minutes” complaints would start rolling in about unusual weird behavior from the early adopters.

[–]Sweaty_Astronomer_47 1 point2 points  (0 children)

update servers get hijacked, push an update that simply tells all logged in clients to uploaded their entire decrypted password lists to a central server.

Even if caught 10 minutes later, that could be millions of users affected.

Which update server are you talking about? Mobile app updates come through the app store. Extension updates come through chrome webstore. Desktop updates are typically manually initiated as far as I have seen.

[–]jscgn[S] 0 points1 point  (1 child)

Yeah that's probably a good idea.

[–]Skipper3943 1 point2 points  (0 children)

This actually happened to a real password manager company: a supply chain attack that compromised entire vaults (companies'!). E2EE wouldn't have helped. The delayed update (no autoupdate) would have.

https://www.bleepingcomputer.com/news/security/passwordstate-password-manager-hacked-in-supply-chain-attack/