Bitwarden: Difference between revisions
m →Products: added a product |
m →Quiet changes (2026): replaced with actual roman numerals |
||
| (19 intermediate revisions by 2 users not shown) | |||
| Line 5: | Line 5: | ||
|Logo=Bitwarden logo.webp | |Logo=Bitwarden logo.webp | ||
|CompanyAlias=Bitwarden, Inc. | |CompanyAlias=Bitwarden, Inc. | ||
|Website=https://bitwarden.com, https://bitwarden.eu | |Website=https://bitwarden.com, https://bitwarden.eu, https://passwordless.dev | ||
}} | }} | ||
Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.<ref>{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}</ref><ref>{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}</ref> Its main product is the eponymous password manager. | [[wikipedia:Bitwarden|Bitwarden]] is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.<ref>{{Cite web |title=Division of Corporations |url=https://icis.corp.delaware.gov/ecorp/entitysearch/NameSearch.aspx |url-status=live |website=icis.corp.delaware.gov |quote=File Number: 7654941}}</ref><ref>{{Cite web |title=Business Search |url=https://bizfileonline.sos.ca.gov/search/business |url-status=live |website=bizfileonline.sos.ca.gov |quote=BITWARDEN INC. (4612828)}}</ref> Its main product is the eponymous password manager. | ||
==Consumer-impact summary== | ==Consumer-impact summary== | ||
In 2026, Bitwarden's long time CEO, as well as the CFO were replaced. No official announcements of this were made by the company. Shortly after, the phrase "Always free", which had been on the company's products site for years, disappeared, sparking concern among some users. A [[Reddit]] user, reported to be a Bitwarden employee, stated, in a comment that this had been a simple oversight. This comment was not well received among other users, many of whom expressed disbelief and distrust. Some of them also stated that they'd start looking for alternative password managers. In addition, the company's acronym, GRIT, which had been used to describe "company culture for years" had been quietly changed. (See: [[Bitwarden#Quiet changes (2026)|Quiet changes (2026)]].) | |||
From 2018 to 2023, the company had been aware of a security vulnerability in their autofill feature and had even documented it and assigned it a name, but chose to tolerate it, because they wished to accommodate legitimate sites that used the feature (it was reported that the risk had been "very low"). In 2023, the company resolved the matter. (See: [[Bitwarden#Autofill vulnerability (2018-2023)|Autofill vulnerability (2018-2023)]].) | |||
In April 2026, Bitwarden's CLI NPM package, was found to have included a "credential-stealing payload." Users of this CLI package were the only affected users. (See: [[Bitwarden#Malicious @bitwarden/cli (NPM) package (2026)|Malicious @bitwarden/cli (NPM) package (2026)]].) | |||
==Incidents== | ==Incidents== | ||
{{ | ===Autofill vulnerability (2018-2023)=== | ||
The autofill feature in Bitwarden's browser extension contained "risky-behavior" that could "allow malicious iframes embedded in trusted websites to steal people's credentials and send them to an attacker."<ref name="bc">{{Cite web |first=Bill |last=Toulas |date=2023-03-08 |title=Bitwarden flaw can let hackers steal passwords using iframes |url=https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |url-status=live |website=bleepingcomputer.com |archive-url=https://web.archive.org/web/20260515233256/https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/ |archive-date=2026-05-15 |access-date=2026-06-28}}</ref> ("According to the Mozilla HTML documentation the <iframe> HTML element represents a nested browsing context, embedding another HTML page into the current one.")<ref name="fp">{{Cite web |date=2023-03-07 |author=Flashpoint Intel Team |title=Bitwarden: The Curious (Use-)Case of Password Pilfering |url=https://flashpoint.io/blog/bitwarden-password-pilfering/ |url-status=live |website=flashpoint.io |archive-url=https://web.archive.org/web/20260516015310/https://flashpoint.io/blog/bitwarden-password-pilfering/ |archive-date=2026-05-16 |access-date=2026-06-28}}</ref> | |||
Reportedly, Bitwarden had been aware of this since 2018 (documented as (BWN-01-001)<ref name="fp" />), but tolerated it to "accommodate legitimate sites that use iframes." It is worth noting that the feature had been disabled by default, there had still been sites on which this could be exploited. With autofill enabled, Bitwarden's web extension filled in credentials automatically when a page gets loaded, without the user having to intervene in the process.<ref name="bc" /><blockquote>'While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction,' explains Flashpoint.<ref name="bc" /></blockquote>Reportedly, the "number of risky cases was very low." While investigating this, it was also discovered that autofill filled in credentials "on subdomains of the base domain matching a login. This means an attacker hosting a phishing page under a subdomain that matches a stored login for a given base domain will capture the credentials upon the victim visiting the page if autofill is enabled."<ref name="bc /> In 2023, it was reported that Bitwarden<blockquote>decided to address user concerns by eliminating the iframe attack vector while keeping the autofill functionality intact.</blockquote><ref name="bc" /> | |||
===Malicious @bitwarden/cli (NPM) package (2026)=== | |||
In April 2026, it was revealed that Bitwarden's {{Wplink|Command-line interface|CLI}} package, distributed via {{Wplink|npm}}, included a "credential-stealing payload." Reportedly, only the only affected users were the CLI package's users, not all Bitwarden users in general.<ref>{{Cite web |first=Davey |last=Winder |date=2026-04-24 |title=Bitwarden Confirms Compromise—Here Are The Facts |url=https://www.forbes.com/sites/daveywinder/2026/04/24/bitwarden-confirms-compromise-here-are-the-facts-for-10-million-users/ |url-status=live |website=forbes.com |archive-url=https://ghostarchive.org/archive/DTGH8 |archive-date=2026-06-27}}</ref> The package also reportedly contained the string "Shai-Hulud: The Third Coming", "Shai-Hulud" referring to a {{Wplink|computer worm}}.<ref>{{Cite web |first=Justin |last=Moore |date=2025-11-25 |title="Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack |url=https://unit42.paloaltonetworks.com/npm-supply-chain-attack/ |url-status=live |website=unit42.paloaltonetworks.com |archive-url=https://ghostarchive.org/archive/bzU3J |archive-date=2026-06-27}}</ref> It was also reported that: <blockquote>OX Security has observed real user information leaked by the malware. The infection is likely to spread further across NPM and GitHub as more machines are compromised over time. | |||
The malware’s origin is potentially Russian — it does not execute if the Russian language is configured on the host machine.<ref name="ox">{{Cite web |title=Shai-Hulud: The Third Coming — Bitwarden CLI Backdoored in Latest Supply Chain Campaign |author=Siman Tov Bustan |author2=Zadok |date=2026-04-23 |url=https://www.ox.security/blog/shai-hulud-bitwarden-cli-supply-chain-attack/ |url-status=live |website=ox.security |archive-url=https://ghostarchive.org/archive/BjGFQ |archive-date=2026-06-27}}</ref></blockquote> | |||
===Quiet changes (2026)=== | |||
====Always free==== | |||
The longtime CEO, Michael Crandell is in an "advisory role" since February. In addition, Bitwarden's CFO was replaced in April. There weren't any official announcements for either of these changes. Bitwarden's free plan on their product page included the phrases "Free Forever" and "Always free."<ref name="souray" /> These phrases are present even on the Wayback machine's oldest archive (2022-06-25) of Bitwarden's product site.<ref>{{Cite web |title=The Bitwarden Password Manager |archive-date=2022-06-25 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20220625012714/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}</ref> | |||
<gallery> | |||
File:Bitwarden20260414.webp|alt=(Ⅰ) Bitwarden product page Wayback machine on 2026-04-14|right|(Ⅰ) Bitwarden product page Wayback machine on 2026-04-14 | |||
File:Bitwarden20260418.webp|alt=(Ⅱ) Bitwarden product page Wayback machine on 2026-04-18|right|(Ⅱ) Bitwarden product page Wayback machine on 2026-04-18 | |||
File:Bitwarden20260515.webp|alt=(Ⅲ) Bitwarden product page Wayback machine on 2026-05-15|right|(Ⅲ) Bitwarden product page Wayback machine on 2026-05-15 | |||
File:Bitwarden20260519.webp|alt=(Ⅳ) Bitwarden product page Wayback machine on 2026-05-19|right|(Ⅳ) Bitwarden product page Wayback machine on 2026-05-19 | |||
</gallery> | |||
"Always free" reportedly disappeared from the site in April.<ref name="souray">{{Cite web |first=Souray |last=Rudra |date=2026-05-19 |title=Things Are Quietly Changing at Bitwarden, and People Are Worried |url=https://itsfoss.com/news/bitwarden-quiet-changes/ |url-status=live |website=itsfoss.com |archive-url=https://ghostarchive.org/archive/jmqHZ |archive-date=2026-06-27}}</ref> The archives from April, (Ⅰ) and (Ⅱ), reveal that the phrase disappeared sometime between 2026-04-14 (left on image Ⅰ) and 2026-04-18 (bottom on image Ⅱ). The archives from May, (Ⅲ) and (Ⅳ) ,reveal that it came back sometime between 2026-05-15 (bottom left on image Ⅲ) and 2026-05-19 (bottom left on image Ⅳ).<ref>{{Cite web |title=Best Free & Premium Password Manager |archive-date=2026-04-14 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20260414143347/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}</ref><ref>{{Cite web |title=Best Free & Premium Password Manager |archive-date=2026-04-18 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20260418162818/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}</ref><ref>{{Cite web |title=Best Free & Premium Password Manager |archive-date=2026-05-15 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20260515190646/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}</ref><ref>{{Cite web |title=Best Free & Premium Password Manager |archive-date=2026-05-19 |url=https://bitwarden.com/products/personal/ |archive-url=https://web.archive.org/web/20260519164353/https://bitwarden.com/products/personal/ |url-status=live |website=bitwarden.com}}</ref> A Reddit user by the name of "Ryan_BW", reportedly a Bitwarden employee,<ref name="souray" /> made a post addressing the issue on 2026-05-15, stating that:<blockquote>I would like to share that "always free" has been brought back to the pricing page. There was no specific intention to remove that language from the website while pages were being updated. Simply an oversight on the marketing team (myself included).</blockquote>The comment was met with several negative replies from other Redditors.<ref>{{Cite web |author=Ryan_BW |date=2026-05-15 |title=Ryan_BW comments on FastCompany: intriguing corporate gossip about Bitwarden |url=https://www.reddit.com/r/Bitwarden/comments/1tdvnh7/comment/olznwcv/ |url-status=live |website=reddit.com |archive-url=https://ghostarchive.org/archive/MPAhX |archive-date=2026-06-27}}</ref> | |||
====GRIT==== | |||
=== | <blockquote>Bitwarden has used the GRIT acronym to describe its company culture for years, standing for Gratitude, Responsibility, Inclusion, and Transparency.</blockquote>On the Wayback machine's archive from 2026-03-14, they were still unchanged on Bitwarden's blog.<ref>{{Cite web |title=Defining and sustaining value for Bitwarden users |first=Michael |last=Crandell |orig-date=2022-06-08 |archive-date=2026-03-14 |url=https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/ |archive-url=https://web.archive.org/web/20260314030243/https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/ |url-status=live |website=bitwarden.com}}</ref> | ||
<blockquote>At some point after that, they were quietly changed. GRIT now stands for Gratitude, Responsibility, Innovation, and Trust.</blockquote><ref name="souray" /> The original blog post was also updated, so that it now includes the new version of the acronym.<ref name="souray" /><ref>{{Cite web |date=2022-06-08 |first=Michael |last=Crandell |title=Defining and sustaining value for Bitwarden users |url=https://bitwarden.com/blog/defining-and-sustaining-value-for-bitwarden-users/#bitwarden-operates-with-grit |url-status=live |website=bitwarden.com |archive-url=https://ghostarchive.org/archive/Iek3a |archive-date=2026-06-27}}</ref> | |||
=== | |||
... | |||
==Products== | ==Products== | ||
*Bitwarden password manager | *Bitwarden password manager | ||
*Passwordless.dev | |||
*Bitwarden Secrets Manager | |||
==See also== | ==See also== | ||
*[[LastPass]] | |||
*[[1Password]] | |||
*[[Google password manager overrides third-party autofill]] | |||
*[[NordVPN]] | |||
==References== | ==References== | ||