Bitwarden leaks passwords to sub domains

Paul.R

Level 17
Thread author
Verified
Well-known
May 16, 2013
844
Today I was on a domain that should only be available via BasicAuth. Then I was really scared when I did not have to login. Even in incognito mode the page was visible without login. Is my BasicAuth broken? Turns out: No, but @Bitwarden has automatically logged in for me. 1/6

Bitwarden sends the HTTP Authorization Header automatically. The HTTP Authorization request header contains the credentials to authenticate a user with a server. This happens even if auto-fill is disabled. Not so tragic, one might think. But it's getting worse. 2/6 Image

#Bitwarden use "Base domain" as a default URI match detection (bitwarden.com/help/article/u…). That means: bad\.example\.com is the same as good\.example\.com. So, Bitwarden might automatically (!!) leaks my passwords to other subdomains. 3/6

In my case this is not so problematic, because all subdomains belong to me. Nevertheless, Bitwarden still leaks my password to other subdomains and thus possibly to other servers. I think this is a serious attack vector. 4/6

This should not happen, especially not when auto-fill is switched off. The problem has been known since January, so out-of-scope for there bug bounty. Feel free to upvote this Issue on GitHub: github.com/bitwarden/brow… 5/6

Nevertheless I am convinced that Bitwarden belongs to the better password managers. Bitwarden is #OpenSource and can be completely self-hosting. 6/6

Addendum: Bitwarden also leaks my password to subdomains that do not have HTTPS. 7/6
 

SpiderWeb

Level 10
Verified
Well-known
Aug 21, 2020
468
You can modify the match detection. Yes. Bitwarden and Lastpass autofill based on domain by default for ease of use. The assumption is that the subdomain is as secure as the main domain and you have an account on both. The alternative would be to make a rule for every single subdomain which would be a massive inconvenience since so many websites have their login page on a subdomain! You restrict to a specific domain and even URL tho by changing the match detection:

Screenshot 2020-09-20 at 13.26.16.png
 

SpiderWeb

Level 10
Verified
Well-known
Aug 21, 2020
468
This thread should be locked for misinformation.
1. You can't blame Bitwarden for your bad configuration and security practices. You can narrow it down to a specific subdomain through match detection (first screenshot)
2. Bitwarden WARNS you that your URI is unencrypted (first + second + third screenshot)
3. It also WARNS you not to enable autofill (which is opt-in) until you double check your configuration. (first screenshot at the top!)

The problem here is not Bitwarden but people just quickly clicking through all the menus when they save a password. You should know how your password manager works, and lock it down appropriately.
 

Attachments

  • Screenshot 2020-09-20 at 18.21.19.png
    Screenshot 2020-09-20 at 18.21.19.png
    213 KB · Views: 286
  • Screenshot 2020-09-20 at 18.20.32.png
    Screenshot 2020-09-20 at 18.20.32.png
    66.1 KB · Views: 290
  • Screenshot 2020-09-20 at 18.20.51.png
    Screenshot 2020-09-20 at 18.20.51.png
    47.8 KB · Views: 256
Last edited:

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
This thread should be locked for misinformation.
Bitwardens founder/CTO has officially acknowledge the issue and made a Pull Request. How is that misinformation?
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
You can't blame Bitwarden for your bad configuration and security practices.
Majority use the default settings, because they expect security software to be preset as such, just like in TOR, where people still have to disable scripts for max anonymity (2 clicks). I myself had no idea, what "Default URI Match Detection" is about. Well, there is always something new to be learnt. Thank you.
 

Soulbound

Moderator
Verified
Staff Member
Well-known
Jan 14, 2015
1,761
I agree with @TairikuOkami
Default settings should be configured out of the box for usability.

If I have to dig in and find what is for example "Defautl URI Match Detection" and other obscure names that are not commonly known to the average Password Manager user, I simply would not use the solution anymore no matter how highly is rated across the internet.

Which once again falls into my opinion: this is why I use an offline Password Manager and a simply copy and paste solves any issue.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
Which once again falls into my opinion: this is why I use an offline Password Manager and a simply copy and paste solves any issue.
I am starting to regret my decision, moving from Keepass to Bitwarden, which is more exploitable whether as an extension or as a desktop app. :(

Security triangle strikes again. You just can not have everything.

Security Triangle.png
 

Soulbound

Moderator
Verified
Staff Member
Well-known
Jan 14, 2015
1,761
I am starting to regret my decision, moving from Keepass to Bitwarden, which is more exploitable whether as an extension or as a desktop app. :(

Security triangle strikes again. You just can not have everything.

View attachment 246513
keepassxc is what i moved to from Keepass.

I do have Sticky Password but dont use it.
 
F

ForgottenSeer 85179

I ask because XC doesn't provide any advantages for Windows. It's also not audited like original.
So in my opinion XC is only useful for Linux.

I made somewhere here a post about difference from XC to original
 

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,004
I ask because XC doesn't provide any advantages for Windows. It's also not audited like original.
So in my opinion XC is only useful for Linux.

I made somewhere here a post about difference from XC to original

I use KeepassXC over original only because of integrated TOTP. I think there are TOTP plugins but I don't know which one to use. I guess there's always WinAuth but that's and archived project. I just hate using my phone for 2fa.

Anyway, glad I didn't switch over to Bitwarden. I prefer the security of locally stored passwords but I suppose it'd be a user error if I went to a unsecure website and pasted in my details. Maybe a case for using the HTTPS everywhere extension or at the very least, having third-party blocked for http using @Lenny_Fox 's UBO Static filter:

! Block insecure third-party content except stylesheet, image and media
||HTTP://*$3p,~stylesheet,~image,~media
 
Last edited:
  • Like
Reactions: Protomartyr

Soulbound

Moderator
Verified
Staff Member
Well-known
Jan 14, 2015
1,761
I ask because XC doesn't provide any advantages for Windows. It's also not audited like original.
So in my opinion XC is only useful for Linux.

I made somewhere here a post about difference from XC to original
in linux you can use WINE if you want to use the official version.
Alternatively you can use the contributed/unofficial packages of Keepass for Linux (I only used the Debian one and worked fine too).

At the bottom of the page.



As for plugins: (note that some 2x plugins are no longer compatible with latest version of Keepass)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top