That's a very disingenuous way of putting it. If you use the application, there's auto update functionality (with a confirmation dialog box) if:
- You're on Windows and not using the Windows Store version or a "portable" version of the application
- You're on macOS and not using the app store version
- You're on Linux and you're using the AppImage version
Given the security-sensitive nature of the application and the target audience (mostly non-technical people), I think it's not a bad thing that this software has auto update functionality.
If you want to be free of this behaviour, you can either install the application through your system package manager/app store so you can control the update behaviour there, or run a development build of your vetted version of the source code.
It doesn't have a confirmation dialog box, it simply notifies you that it has already happened. You can't easily prevent it. The vulnerability has already occurred by the time the dialog box is displayed.
If you simply reboot your computer, the new code executes.
Does it? From what I could tell from the source code, it seems like it should ask first.
Even still, auto update is a feature, not a vulnerability. It's the only way to get non-technical people to patch their software because people are afraid of change. Even if there's a huge vulnerability in Bitwarden, tons of people won't click the "yes update please" button because they're afraid updates change the way the tool works or break something.
> Even still, auto update is a feature, not a vulnerability.
Autoupdate is fine, so long as it's opt-in. It is a massive vulnerability if not, amounting to the same control as a standard remote access toolkit: full RCE.
> It's the only way to get non-technical people to patch their software because people are afraid of change.
Not only is this a factually incorrect statement, it also contains a presumption that Bitwarden's developers have some right to decide for the end user what software runs on their computer, when the end user is the final authority, for better or worse, on what code is allowed to run on the hardware they own.
- You're on Windows and not using the Windows Store version or a "portable" version of the application - You're on macOS and not using the app store version - You're on Linux and you're using the AppImage version
Given the security-sensitive nature of the application and the target audience (mostly non-technical people), I think it's not a bad thing that this software has auto update functionality.
If you want to be free of this behaviour, you can either install the application through your system package manager/app store so you can control the update behaviour there, or run a development build of your vetted version of the source code.