[sneak]

You are misunderstanding the issue. It's not asking before the update (as most programs that prompt you to update do).

By the time that dialog box is displayed, the application has already replaced itself on disk (with code chosen arbitrarily by the bitwarden developers, or anyone in possession of their credentials), and the new code will be executed automatically without user intervention the next time the app is launched, which happens automatically if the computer is rebooted (like if there is a momentary power failure, or you hit "okay" on an OS update, or your battery dies and later you plug it back in to power).

This grants the developers (as well as anyone who can compromise their credentials) unlimited remote access to your entire password vault the next time you unlock it.

[bri3d]

Sure, I see where you're coming from. I think your approach makes you come off as not very credible, though. Plus, it puts developers on the defensive and won't cause them to cooperate.

A simple "I'm not comfortable with code on my machine being updated remotely without my approval, because I believe an attacker could infiltrate the supply chain" explains the problem you're having more precisely and turns into a simple feature request (turn off the auto-updater - which is already possible, as documented in that thread!) rather than trying to convince an entire industry that a commonly accepted practice (installation of signed remote updates) amounts to 0day RCE by putting them on the defensive.

[viro]

This is NOT a RCE. Would you like me to list all of the software that does this exact thing? Chrome, Brave, Discord are some of the biggest. Nearly all electron based apps that autoupdate.

[sneak]

You forgot the Creative Cloud, iOS (autoupdates on by default), and the Play Store.

Those are RCE vulnerabilities, as well. Platform vendors love being able to execute whatever they like on the advertising consumption devices that don't belong to them.

Just because it feels like a different thing because it's the vendor (only in theory - TAO would like to have a word with you) doesn't make it any less a vulnerability, or any less an RCE by the strict definition. Installing the client is equivalent to installing a RAT onto your machine: it can be remotely controlled to execute any code or tools the other end wants.

[viro]

Thats not how the definition of RCE works. Under your silly logic every piece of server/client software is a "RAT". To be honest I feel like you're trying to speed run ur way to the Attrition Hall of Charlatans

[RedComet]

Why don't you just disable the updater then?

https://github.com/bitwarden/desktop/issues/552#issuecomment...

[sneak]

There's no good way to set env vars for GUI apps on macOS. I just run a private fork that patches out all of their hostnames.