Paul.R

Level 16
Verified
Today I was on a domain that should only be available via BasicAuth. Then I was really scared when I did not have to login. Even in incognito mode the page was visible without login. Is my BasicAuth broken? Turns out: No, but @Bitwarden has automatically logged in for me. 1/6

Bitwarden sends the HTTP Authorization Header automatically. The HTTP Authorization request header contains the credentials to authenticate a user with a server. This happens even if auto-fill is disabled. Not so tragic, one might think. But it's getting worse. 2/6 Image

#Bitwarden use "Base domain" as a default URI match detection (bitwarden.com/help/article/u…). That means: bad\.example\.com is the same as good\.example\.com. So, Bitwarden might automatically (!!) leaks my passwords to other subdomains. 3/6

In my case this is not so problematic, because all subdomains belong to me. Nevertheless, Bitwarden still leaks my password to other subdomains and thus possibly to other servers. I think this is a serious attack vector. 4/6

This should not happen, especially not when auto-fill is switched off. The problem has been known since January, so out-of-scope for there bug bounty. Feel free to upvote this Issue on GitHub: github.com/bitwarden/brow… 5/6

Nevertheless I am convinced that Bitwarden belongs to the better password managers. Bitwarden is #OpenSource and can be completely self-hosting. 6/6

Addendum: Bitwarden also leaks my password to subdomains that do not have HTTPS. 7/6
 

SpiderWeb

Level 3
You can modify the match detection. Yes. Bitwarden and Lastpass autofill based on domain by default for ease of use. The assumption is that the subdomain is as secure as the main domain and you have an account on both. The alternative would be to make a rule for every single subdomain which would be a massive inconvenience since so many websites have their login page on a subdomain! You restrict to a specific domain and even URL tho by changing the match detection:

Screenshot 2020-09-20 at 13.26.16.png
 

SpiderWeb

Level 3
This thread should be locked for misinformation.
1. You can't blame Bitwarden for your bad configuration and security practices. You can narrow it down to a specific subdomain through match detection (first screenshot)
2. Bitwarden WARNS you that your URI is unencrypted (first + second + third screenshot)
3. It also WARNS you not to enable autofill (which is opt-in) until you double check your configuration. (first screenshot at the top!)

The problem here is not Bitwarden but people just quickly clicking through all the menus when they save a password. You should know how your password manager works, and lock it down appropriately.
 

Attachments

  • Screenshot 2020-09-20 at 18.21.19.png
    Screenshot 2020-09-20 at 18.21.19.png
    213 KB · Views: 65
  • Screenshot 2020-09-20 at 18.20.32.png
    Screenshot 2020-09-20 at 18.20.32.png
    66.1 KB · Views: 63
  • Screenshot 2020-09-20 at 18.20.51.png
    Screenshot 2020-09-20 at 18.20.51.png
    47.8 KB · Views: 56
Last edited:

upnorth

Moderator
Verified
Staff member
Malware Hunter
This thread should be locked for misinformation.
Bitwardens founder/CTO has officially acknowledge the issue and made a Pull Request. How is that misinformation?
 

TairikuOkami

Level 28
Verified
Content Creator
You can't blame Bitwarden for your bad configuration and security practices.
Majority use the default settings, because they expect security software to be preset as such, just like in TOR, where people still have to disable scripts for max anonymity (2 clicks). I myself had no idea, what "Default URI Match Detection" is about. Well, there is always something new to be learnt. Thank you.
 

Soulbound

Moderator
Verified
Staff member
I agree with @TairikuOkami
Default settings should be configured out of the box for usability.

If I have to dig in and find what is for example "Defautl URI Match Detection" and other obscure names that are not commonly known to the average Password Manager user, I simply would not use the solution anymore no matter how highly is rated across the internet.

Which once again falls into my opinion: this is why I use an offline Password Manager and a simply copy and paste solves any issue.
 

TairikuOkami

Level 28
Verified
Content Creator
Which once again falls into my opinion: this is why I use an offline Password Manager and a simply copy and paste solves any issue.
I am starting to regret my decision, moving from Keepass to Bitwarden, which is more exploitable whether as an extension or as a desktop app. :(

Security triangle strikes again. You just can not have everything.

Security Triangle.png
 

ErzCrz

Level 7
Verified
I ask because XC doesn't provide any advantages for Windows. It's also not audited like original.
So in my opinion XC is only useful for Linux.

I made somewhere here a post about difference from XC to original

I use KeepassXC over original only because of integrated TOTP. I think there are TOTP plugins but I don't know which one to use. I guess there's always WinAuth but that's and archived project. I just hate using my phone for 2fa.

Anyway, glad I didn't switch over to Bitwarden. I prefer the security of locally stored passwords but I suppose it'd be a user error if I went to a unsecure website and pasted in my details. Maybe a case for using the HTTPS everywhere extension or at the very least, having third-party blocked for http using @Lenny_Fox 's UBO Static filter:

! Block insecure third-party content except stylesheet, image and media
||HTTP://*$3p,~stylesheet,~image,~media
 
Last edited:
  • Like
Reactions: Protomartyr

Soulbound

Moderator
Verified
Staff member
I ask because XC doesn't provide any advantages for Windows. It's also not audited like original.
So in my opinion XC is only useful for Linux.

I made somewhere here a post about difference from XC to original
in linux you can use WINE if you want to use the official version.
Alternatively you can use the contributed/unofficial packages of Keepass for Linux (I only used the Debian one and worked fine too).

At the bottom of the page.



As for plugins: (note that some 2x plugins are no longer compatible with latest version of Keepass)
 
Top