Browser: Possible vulnerability in browser extension caused by browser.storage.local API implementation

I just checked this on my local windows machine at C:\Users\me\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb\000004.log and I cannot find any trace of key. or "key". I am using a lock option which would have cleared the default key which was originally saved after first login.

Also verified with Firefox on windows at %AppData%\Roaming\Mozilla\Firefox\Profiles\your_profile\browser-extension-data\{446900e4-71c2-419f-a6a7-df9c091e268b}\storage.js. No trace of the key found in that file.

Either

• Uninstall, reinstall, and look again on chrome, or
• Toggle your remember option to "Never", look, change it back, and look again.

I'm having difficulty finding implementation details for Chrome's local storage, but every extension I've ever installed begins with 000003.log. I have extensions that have started there and when each file fills, it rolls over. My AdGuard plugin has made it to 000237.log

Looks like it's there after toggling which is weird. I am not sure the format of this file, but I can definitely say that is wasn't there before which means the value is not saved forever. Maybe it's some kind of cache?

I toggled Firefox as well but am unable to find any kind of trace of the key there.

All of the data there looks like values that have recently changed. I'll keep monitoring the file and see if I can figure out when it "purges".

It isn't saved forever - It's saved until you fill up the log file and it rolls over to another.

This is how the chrome storage API works - the keyvalue store is implemented with a journaled logfile - the _most recent_ value gets returned when you call chrome.storage.local.get() but all others are physically present on disk until either you call chrome.storage.local.clear() or the file fills to capacity and rolls over. Depending on how often you change your BitWarden settings, this file would likely fill slowly and hang around on disk for a long time.

this is a pretty serious issue because users expect their master key to not be recoverable, but for a period of time (I'm going to guess days to weeks) it is.

We are planning to change this setting's default in an upcoming release so it will be resolved going forward. That said, bitwarden syncs and overrides the user's entire encrypted vault to chrome.storage multiple times per day so I imagine that log fills up and rolls over quickly. In any case it's not there forever so I don't think we have to worry about trying to come up with a solution to cleanup those log files.

multiple times per day

For active users, maybe. But I don't think it makes a great deal of sense to store both the lock and the key in the same file on disk.

You'd be relying on users's activity to overwrite a file that contains the most sensitive piece of information the application deals with. Imagine a scenario where I install BitWarden, port over my data from LastPass, and then get sidetracked for a week. No sync, no updates, no fresh data. Then I lose my laptop on the train and there's a good chance both my encrypted vault and the key to unlock it are in one convenient location on disk.

@subdavis @kspearrin Should this be posted on Hacker One for tracking? https://hackerone.com/bitwarden?view_policy=true

It doesn't need to be since we have it here, but can be if @subdavis would like to post it there. We'll have this patched for next release.

@subdavis

This should resolve it going forward: https://github.com/bitwarden/browser/commit/4a34f9be5946499f193fa26e10d15b9ed0d552fb . This will be bundled with next release which is going out rather soon.

Thanks for the additional info about chrome.storage. Never knew it behaved in such a way. Doesn't seem Google has that documented anywhere.

@kspearrin @anortiz08 That isn't a fix for the issue I've described, and changing the default won't help.

Any time a user uses the "Never" feature, a copy of key gets persisted to disk, potentially forever. This issue should be left open to document that.

Short of removing the option to set "Never" the issue will always be present, however, the option is there by user demand so we cannot just remove it. Perhaps we should add a popup warning when setting that option so they user knows the consequences of their actions. We are tracking that in https://github.com/bitwarden/browser/issues/467

Then should I add documentation to that issue?

Because the popup would have to say:

If you use this option, you won't be able to change your mind later. Short of uninstalling BitWarden, there is no programmatic way to verify that the log has rolled over and your credentials are safe again.

Yes, you can add input regarding that in #467 .

Also, are you aware if other chrome.storage implementations such as Firefox or Edge have a similar log? That would determine if we would need to display the same message there or not. I can't find anything in Firefox.

I'm not. I'm planning to open an issue on Chromium to track why the hell this hasn't been documented because it's obscenely dangerous, and will attempt to do the same for Firefox, Edge, etc.

I don't know why they can't provide a secure disk storage medium in the first place. Safari does (presumably linked to the keychain), which we use for the key if using the "Never" option.

@subdavis I understand a workaround/mitigation has been put in place but I think a formal vulnerability report should be submitted on HackerOne since this is a pretty serious vulnerability.

Hi, could somebody tell me if Bitwarden on Firefox is affected too? Thanks.

@FatOrangutan No, Firefox does not appear to be affected.

@subdavis This should be a better fix going forward https://github.com/bitwarden/browser/commit/6834e26b370c5eae231a57680f842909b15f696d

I mentioned this on reddit but considering this is the official place to track the issue I will repeat it:

Issue #467 addresses the need for UI warning when selecting the "never" option...that remains on the to-do list.

But if someone DOES choose "never" and later switches to a different option, data would potentially remain cached on disk for some time.

So I think a complete fix would need code which flushes the local storage whenever the lock option is changed away from "never" to anything else. Correct?

@kriswilk You're completely correct. It's sort of an edge case, but definitely a risky one.