Security problem? #352

New Issue

OVERLORD · 2026-02-04T19:51:34+03:00

OVERLORD commented

2026-02-04 19:51:34 +03:00

Originally created by @Basti77 on GitHub (Jul 30, 2019).

I use Bitworden_RS two weeks.
My credit card details were also stored there.
3 days ago I made an unauthorized purchase on my card.
because I noticed it early enough there was no damage.
Coincidence?

but my trust behind bitwarden is gone.
My Pi cannot be reached directly via the Internet, only via VPN.
Brouser plugins for Chrome and FIrefox were used.
How can I analyze the thing more exactly where the data disappeared?

Originally created by @Basti77 on GitHub (Jul 30, 2019). I use Bitworden_RS two weeks. My credit card details were also stored there. 3 days ago I made an unauthorized purchase on my card. because I noticed it early enough there was no damage. Coincidence? but my trust behind bitwarden is gone. My Pi cannot be reached directly via the Internet, only via VPN. Brouser plugins for Chrome and FIrefox were used. How can I analyze the thing more exactly where the data disappeared?

OVERLORD added the question label 2026-02-04 19:51:34 +03:00

OVERLORD closed this issue

2026-02-04 19:51:39 +03:00

OVERLORD commented

2026-02-04 19:51:45 +03:00

@dani-garcia commented on GitHub (Jul 30, 2019):

I seriously doubt someone would have specifically targeted your bitwarden_rs instance, even more so if it isn't even directly available from the internet. The information is encrypted and is only really decrypted on the clients.

I'd focus my attention on two fronts:

Which other third parties had access to the credit card info: merchants and shops that might have had data leaks recently.
Make sure the clients that access the bitwarden_rs server are malware free and that there aren't any database exports saved in plain text.

@dani-garcia commented on GitHub (Jul 30, 2019): I seriously doubt someone would have specifically targeted your bitwarden_rs instance, even more so if it isn't even directly available from the internet. The information is encrypted and is only really decrypted on the clients. I'd focus my attention on two fronts: - Which other third parties had access to the credit card info: merchants and shops that might have had data leaks recently. - Make sure the clients that access the bitwarden_rs server are malware free and that there aren't any database exports saved in plain text.

OVERLORD commented

2026-02-04 19:51:54 +03:00

@timaschew commented on GitHub (Jul 31, 2019):

So you just used two clients?
But did you consider that they are maybe infected with a trojan or something which is spying the screen or keyboard?

This could happen with any other password manager as well.

@timaschew commented on GitHub (Jul 31, 2019): So you just used two clients? But did you consider that they are maybe infected with a trojan or something which is spying the screen or keyboard? This could happen with any other password manager as well.

OVERLORD commented

2026-02-04 19:52:04 +03:00

@Basti77 commented on GitHub (Aug 1, 2019):

I put a lot of effort into being safe.

At home I have a "real" firewall. Sophos UTM.
You can only get out via a transparent proxy with deep inspection.
I have several computers. all were checked with 3 four scanners. Defender (offline) Sophos Central , Malwere Bytes...

The Master Password alone will not help anyone.
you still need initial access to my LAN.

The question is how secure are the browser addons?
https://hackerone.com/bitwarden

@Basti77 commented on GitHub (Aug 1, 2019): I put a lot of effort into being safe. At home I have a "real" firewall. Sophos UTM. You can only get out via a transparent proxy with deep inspection. I have several computers. all were checked with 3 four scanners. Defender (offline) Sophos Central , Malwere Bytes... The Master Password alone will not help anyone. you still need initial access to my LAN. The question is how secure are the browser addons? https://hackerone.com/bitwarden

OVERLORD commented

2026-02-04 19:52:15 +03:00

@janost commented on GitHub (Aug 1, 2019):

The bitwarden server (regardless of what sofware you use, the official server or a third party implementation like bitwarden_rs) has no access to your secrets, they are end-to-end encrypted on your clients, so the server doesn't have access to them in plain text or the keys that can be used to decrypt them.
As others mentioned, there is also a negligible chance that your bitwarden_rs instance has been targeted by someone, especially if it's not event exposed to the public internet.

I believe there are two possibilities:

One of your client computers is compromised in some way
Your credit card details were stolen from a third party

@janost commented on GitHub (Aug 1, 2019): The bitwarden server (regardless of what sofware you use, the official server or a third party implementation like bitwarden_rs) has no access to your secrets, they are end-to-end encrypted on your clients, so the server doesn't have access to them in plain text or the keys that can be used to decrypt them. As others mentioned, there is also a negligible chance that your bitwarden_rs instance has been targeted by someone, especially if it's not event exposed to the public internet. I believe there are two possibilities: - One of your client computers is compromised in some way - Your credit card details were stolen from a third party

OVERLORD commented

2026-02-04 19:52:21 +03:00

@Basti77 commented on GitHub (Aug 1, 2019):

Difficult to say anything about the two points without becoming paranoid.
The PC can be reinstalled, but I have no influence on the rest.

@Basti77 commented on GitHub (Aug 1, 2019): Difficult to say anything about the two points without becoming paranoid. The PC can be reinstalled, but I have no influence on the rest.

OVERLORD commented

2026-02-04 19:52:33 +03:00

@mprasil commented on GitHub (Aug 2, 2019):

I don't see how this is actionable by bitwarden_rs devs. As mentioned, passwords are encrypted client-side, so the exposure on server side is very limited. I think this should be closed unless there's good reason to think there is security flaw in the server implementation?

@mprasil commented on GitHub (Aug 2, 2019): I don't see how this is actionable by bitwarden_rs devs. As mentioned, passwords are encrypted client-side, so the exposure on server side is _very_ limited. I think this should be closed unless there's good reason to think there is security flaw in the server implementation?

OVERLORD commented

2026-02-04 19:52:41 +03:00

@Basti77 commented on GitHub (Aug 6, 2019):

I got the leak.
Booking.com there credit card data is getting lost again and again...

there the summer vacation was booked and not over my hardware but the Apple stuff of my girlfriend directly over her App.

@Basti77 commented on GitHub (Aug 6, 2019): I got the leak. Booking.com there credit card data is getting lost again and again... there the summer vacation was booked and not over my hardware but the Apple stuff of my girlfriend directly over her App.

OVERLORD commented

2026-02-04 19:52:50 +03:00

@dani-garcia commented on GitHub (Aug 6, 2019):

I’m glad you found the cause :)

I think this can be closed now then.

@dani-garcia commented on GitHub (Aug 6, 2019): I’m glad you found the cause :) I think this can be closed now then.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#352