Browser: [SECURITY] Bitwarden browser extension leaks basic auth credentials

This is very useful functionality - please don't remove it. If needed, a config option for it maybe. I suspect most people expect their password manager to work in basic auth scenarios.

This is very useful functionality - please don't remove it. If needed, a config option for it maybe. I suspect most people expect their password manager to work in basic auth scenarios.

When properly deployed I don't disagree! In its current state I have zero doubt that credentials have been unintentionally submitted to the wrong parties before. Perhaps not for either of us but its definitely happened somewhere, and that's a problem. Has it been actively exploited? Who knows...

It's possibly worth a per-item checkbox to support Basic Auth. I only use
this on a very small subset of sites. Might also be worthwhile to limit it
to HTTPS urls.

On Sat, Jan 25, 2020, 6:35 PM h-town notifications@github.com wrote:

This is very useful functionality - please don't remove it. If needed, a
config option for it maybe. I suspect most people expect their password
manager to work in basic auth scenarios.

When properly deployed I don't disagree! In its current state I have zero
doubt that credentials have been unintentionally submitted to the wrong
parties before. Perhaps not for either of us but its definitely happened
somewhere, and that's a problem. Has it been actively exploited? Who
knows...

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/bitwarden/browser/issues/1124?email_source=notifications&email_token=AAEAZQ6HTF7O3EGZCTD3U4TQ7TZIPA5CNFSM4KLUI6R2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJ5KKIY#issuecomment-578463011,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAEAZQYGKXPE5JWUQW6AHELQ7TZIPANCNFSM4KLUI6RQ
.

My suggestion:

• Send the HTTP Authorization Header only if the URL including subdomain matches. For the automatic filling out of Basic Auth the default matching with "Base domain" should be overridden.
• If auto-fill is switched off, this should not work.

…or just do it like KeePassXC seems to do in it's recent versions: always open a popup asking whether to proceed.

This might also be solved by changing "base domain" and using the public suffix list for this: https://publicsuffix.org/

This so that the extension knows that foo.dyndns.provider and bar.dyndns.provider are different domains under the same public suffix (dyndns.provider) and that credentials thus shouldn't be shared. This as this list for example is also used by browsers to determine if two domains are the same site to apply the SameSite cookie policy (so preventing cookies set on foo.dyndns.provider from being send to bar.dyndns.provider).

No, the proper fix is to not send basic auth across subdomains at all. Don't match base domains, only full domains. Very simple. @mritzmann has it right.

Please do not restrict it to HTTPS only. I use basic auth in my LAN.

Also please don't open a popup. That's annoying.

If auto-fill is switched off, this should not work.

One problem here is that, due to limitations in the web extension APIs (see chrome.webRequest.onAuthRequired), filling credentials for HTTP Basic Auth prompts has to be non-interactive. I know of no other way to do it. Because of this, we do not respect the "auto-fill on page load" setting.

We could change the default match detection to Host on basic auth fills. That's not a bad idea.

So whatever, there should of course be the possibility to disable that feature altogether. So any arguments like "That's annoying." or so don't count, because you can disable it.

No, the proper fix is to not send basic auth across subdomains at all. Don't match base domains, only full domains. Very simple. @mritzmann has it right.

Yeah, that's for a start may be a good idea, unless some users depend on that feature – you know.
Though even if that is restricted, you may not always like to automatically send this thing so hmm…

credentials for HTTP Basic Auth prompts has to be non-interactive. I know of no other way to do it.

KeePassXC can do it, maybe look at their source https://github.com/keepassxreboot/keepassxc-browser/
I guess they may just cancel and re-request or do such tricks.

Wait… your statement is just not true.
I just had a look on the docs https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest/onAuthRequired and it tells you many methods, which one is:

Provide credentials asynchronously

So technically that seems possible.

KeePassXC can do it, maybe look at their source https://github.com/keepassxreboot/keepassxc-browser/
I guess they may just cancel and re-request or do such tricks.

This seems to be because they have a native desktop app running that can open interactive UIs during the web request flow. Bitwarden works independently, only with available web extension APIs.

Changing the default match detection for basic auth fills has been addressed in #1397

I'm wondering if sounds reasonable from a UX perspective to disable the autofill and use the right click instead and one for all disable auto-login from the browser

Yea this should be OPT IN

Having no way to disable this is unfortunate.
I have autofill off, credentials should never be automatically filled.
Is there still no way to turn this off?

Seeing collaborators appear to disregard this as a nonissue is very disappointing.

They didn't ignore it, Kyle (BW's owner) addressed that here:

https://github.com/bitwarden/browser/issues/1124#issuecomment-695788430

Due to a technical issue, respecting the aut-fill setting for basic auth is not possible in an addon. Changing it to only match on full domains addresses the issue at hand.

They didn't ignore it, Kyle (BW's owner) addressed that here:

It was marked as an "enhancement" and still hasn't been addressed after 9 months and 11 releases...

resolved with #1397 for next release.

Due to a technical issue, respecting the aut-fill setting for basic auth is not possible in an addon.

It is possible - by not filling the password at all. Requiring me to manually copy/paste is better than autofilling that I never enabled.

Raised #1408