top | item 44913301

(no title)

surge | 6 months ago

I've threat modeled this myself, and as I understand it the Bitwarden client side decrypts/encrypts everything locally. So even if backend was entirely compromised, it's never getting anything without the master password, and that's never sent across by the client. Then again, there's also the web interface.

discuss

ronnier|6 months ago

Yeah if an attacker was able to insert javascript then it's possible.

blr_lpm|6 months ago

For this particular threat vector, where the client is compromised, the backend doesn’t matter.

9cb14c1ec0|6 months ago

Which is only possible if logging into the web client and not when using the bitwarden desktop app or browser extensions.