Phony, malicious Bitwarden ads slip past Google’s watch
Image: Michael Crider/IDG
Popular password managers like LastPass and 1Password have had a rough time of it for the last yearand open-source competitor Bitwarden has quickly emerged as an ideal alternative. But with notoriety comes vulnerability: it’s the opposite of security through obscurity. Bitwarden has become so popular that it looks like some unscrupulous actors are trying to take advantage of it, and hosting Google ads for phony, presumably malicious downloads masquerading as the security tool.
After users on Bitwarden’s company forums and Reddit started seeing suspicious ads (as chronicled by Bleeping Computer), company representatives have alerted the userbase of the phishing scheme, recommending that people go directly to the Bitwarden download page instead of Googling for it. Those who spot the illegitimate ads should use Google’s built-in reporting tools to remove them.
Paying legitimate advertising networks to spread fake information is an indictment of said networks’ lack of moderation. But it’s also nothing new. Earlier this year Google ran ads for AMD Radeon drivers that were, in fact, sending users to malware downloads. Google’s intentionally vague labeling of text ads, taking the place of the first search results on pretty much every major, lucrative search term, doesn’t help. And Google isn’t the only guilty party: I’ve personally seen similar fakes showing up in high-ranking Microsoft Bing searches, too.
According to user screenshots, the Bitwarden fake is a convincing one, recreating the password manager’s login page in a nearly pixel-perfect fashion. The only way to spot the fake was by knowing the genuine URL and comparing it to the phony (“bitwardenlogin.com”, in this case). Signing into this fake page would give its owners the full login information for your password manager—a potentially disastrous outcome. Since Bitwarden is becoming a popular tool, and a frequent recommendation for less technically-savvy users, it’s disheartening that Google appears to be putting the burden of policing its own advertising network on the backs of regular internet surfers.