[GH-ISSUE #408] security against memory attacks? #235

New issue

Closed

opened 2026-03-03 01:27:04 +03:00 by kerem · 4 comments

kerem commented 2026-03-03 01:27:04 +03:00

Owner

Copy link

Originally created by @pdarcos on GitHub (Feb 21, 2019).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/408

Hi everyone,

Great project.

Has anyone read the latest report regarding password managers all being vulnerable to reading password in memory? https://www.forbes.com/sites/kateoflahertyuk/2019/02/20/password-managers-have-a-security-flaw-heres-how-to-avoid-it/

I wonder how bitwarden/bitwarden_rs would fare in this audit. Anyone have any more info?

Cheers

Originally created by @pdarcos on GitHub (Feb 21, 2019). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/408 Hi everyone, Great project. Has anyone read the latest report regarding password managers all being vulnerable to reading password in memory? https://www.forbes.com/sites/kateoflahertyuk/2019/02/20/password-managers-have-a-security-flaw-heres-how-to-avoid-it/ I wonder how bitwarden/bitwarden_rs would fare in this audit. Anyone have any more info? Cheers

kerem closed this issue 2026-03-03 01:27:05 +03:00

kerem commented 2026-03-03 01:27:06 +03:00

Author

Owner

Copy link

@mprasil commented on GitHub (Feb 21, 2019):

I think this question needs to be asked upstream. We use upstream code for the client side.

Server itself (which is what bitwarden_rs does) only handles already encrypted data, so there isn't much to leak.

<!-- gh-comment-id:466073522 --> @mprasil commented on GitHub (Feb 21, 2019): I think this question needs to be asked upstream. We use upstream code for the client side. Server itself (which is what `bitwarden_rs` does) only handles already encrypted data, so there isn't much to leak.

kerem commented 2026-03-03 01:27:06 +03:00

Author

Owner

Copy link

@mprasil commented on GitHub (Feb 21, 2019):

I'm going to close this, but feel free to reopen if you think this question is still relevant for some reason.

<!-- gh-comment-id:466074077 --> @mprasil commented on GitHub (Feb 21, 2019): I'm going to close this, but feel free to reopen if you think this question is still relevant for some reason.

kerem commented 2026-03-03 01:27:06 +03:00

Author

Owner

Copy link

@dani-garcia commented on GitHub (Feb 21, 2019):

To add some extra info, all the clients have an option to auto-lock the vault that should remove the master pass from RAM. Other than that and using 2FA, there is no other solution, really. If an attackere has control of your devices you've already lost.

<!-- gh-comment-id:466074882 --> @dani-garcia commented on GitHub (Feb 21, 2019): To add some extra info, all the clients have an option to auto-lock the vault that should remove the master pass from RAM. Other than that and using 2FA, there is no other solution, really. If an attackere has control of your devices you've already lost.

kerem commented 2026-03-03 01:27:06 +03:00

Author

Owner

Copy link

@pdarcos commented on GitHub (Feb 21, 2019):

@dani-garcia That's what I was thinking too.

Thanks for confirming. I've opened up a ticket in the BW repo about this since it is an upstream client side vulnerability. https://github.com/bitwarden/browser/issues/876

Cheers

<!-- gh-comment-id:466076655 --> @pdarcos commented on GitHub (Feb 21, 2019): @dani-garcia That's what I was thinking too. Thanks for confirming. I've opened up a ticket in the BW repo about this since it is an upstream client side vulnerability. https://github.com/bitwarden/browser/issues/876 Cheers

kerem referenced this issue 2026-03-03 08:36:30 +03:00

[PR #244] [MERGED] Make U2F work with vault 2.4.0 changes #2684

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#235

No description provided.