Browser: Security: Bitwarden's default match detection leaks client passphrase to community.bitwarden.com javascript
Describe the Bug
Bitwarden's autofill leaks the password manager master passphrase (from the entry for vault.bitwarden.com) to the (relatively insecure) Discourse web application running at community.bitwarden.com via improper autofill.
Steps To Reproduce
Go attempt to sign up at the forum at https://community.bitwarden.com.
Expected Result
My password manager's main passphrase is not leaked to the Discourse javascript app.
Actual Result
It autofills, allowing Discourse's clientside javascript app to read the password out of the field and do who-knows-what with it.
Additional Context
Bitwarden should lock all *.bitwarden.com password manager entries, when created, to Host type matching, not Default match detection or Base domain. This will prevent leaking of the Bitwarden password itself (used on vault.bitwarden.com) to any other javascript apps (such as Discourse) hosted on *.bitwarden.com.
Ideally, the forum would be hosted on an entirely different second-level domain, so that any cookies or other authentication information for vault.bitwarden.com are not leaked to the Discourse app when it's used.
sneak
All 6 comments
Are you really saying that you've saved the master password to your Bitwarden vault... inside your Bitwarden vault?
Myer
on 20 Sep 2020
Yes, why wouldn't I?
sneak
on 20 Sep 2020
Yes, why wouldn't I?
Because if you can't remember your vault passphrase, then having it stored inside the vault is absolutely useless.
Thinking about it more...perhaps you have your master passphrase stored in your vault so that when you need to visit the web vault, the browser extension auto-fills it for you? This may be convenient but is a terrible security risk. The only place your master passphrase should exist is in your own head.
Am I missing something??
kriswilk
on 21 Sep 2020
This may be convenient but is a terrible security risk.
Please explain the security risk you think this poses.
If the password store isn鈥檛 safe enough to store the master password, it isn鈥檛 safe for any other password.
sneak
on 21 Sep 2020
Well, you found one already, didn't you? I don't think it's BW's job to protect you from every avenue down which your master passphrase might be leaked like that, since you're the one storing it in plaintext.
But to give another example...what if you are briefly distracted or step away from your PC while your vault is unlocked and someone were to access your master passphrase that way? One could argue that if someone has access to your vault that all hope is lost anyway, but scribbling down your master password is far easier than copying a whole bunch of other passwords. A malicious user could even avoid new/external login warnings by sitting down at your PC when you're away to log into your browser extension and go nuts.
As I said, and as I think most people would agree, the only place your master passphrase should exist is in your own head. Perhaps stick a written copy in a safe or safety deposit box if you like, but having it accessible as plaintext ANYWHERE from your PC, let alone allowing it to be autofilled by your browser is just not a good idea.
kriswilk
on 21 Sep 2020
We don't have any plans to change the default match type for specific domain strings, including *.bitwarden.com. If you want the applications to behave this way, you can change the match detection for that particular item in your vault or the application as a whole under Settings => Options.
kspearrin
on 21 Sep 2020
Related issues
andrejrcarvalho
路
5Comments
ple103
路
6Comments
IanSavchenko
路
6Comments
blockloop
路
6Comments
garygreen
路
4Comments
Most helpful comment
Are you really saying that you've saved the master password to your Bitwarden vault... inside your Bitwarden vault?