clients icon indicating copy to clipboard operation
clients copied to clipboard
verified publisher icon bitwarden

Browser extension completely breaks passkeys/webauthn in browser process (Chromium/Linux)

Open pdf opened this issue 3 weeks ago • 10 comments

Steps To Reproduce

  1. Go to https://webauthn.io
  2. Click on Register
  3. Scroll down to error message
  4. Error: The operation either timed out or was not allowed.

This happens for all sites implementing webauthn, both for registration and auth.

Bizarrely, if I open devtools, the browser extension works as expected and intercepts the call, popping the extension UI, and the native UI if the extension flow is cancelled.

If I disable the browser extension, the native webauthn UI is displayed correctly on register/auth.

Expected Result

Browser extension pops to handle passkeys.

Actual Result

Extension causes browser to return an error and completely breaks webauthn for the entire browser process.

Screenshots or Videos

No response

Additional Context

No response

Operating System

Linux

Operating System Version

Arch Linux hostname 6.17.9-zen1-1-zen #1 ZEN SMP PREEMPT_DYNAMIC Mon, 24 Nov 2025 15:21:16 +0000 x86_64 GNU/Linux

Web Browser

Chrome

Browser Version

142.0.7444.162

Environment Versions

Version: 2025.11.1

SDK: 'main (8ef7951)'

Server version: 2025.11.1

Issue Tracking Info

  • [x] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

pdf avatar Dec 05 '25 16:12 pdf

Thank you for reporting this issue! We've added this to our internal tracking system. ID: PM-29257 Link (for internal use): https://bitwarden.atlassian.net/browse/PM-29257

bitwarden-bot avatar Dec 05 '25 16:12 bitwarden-bot

Hmm. The error should still be around in the console if you open it after the crash. Could you look?

abergs avatar Dec 05 '25 16:12 abergs

@abergs there are no errors in the browser console, this error is returned from the webauthn API I believe.

If I enable developer mode and collect errors on the extension I can get some output, though not certain how enlightening it is, see attached.

console-1764954266005.log

pdf avatar Dec 05 '25 17:12 pdf

That log was enlightening. Do you have any other extensions running? Or multiple instances of bitwarden?

abergs avatar Dec 05 '25 18:12 abergs

Created a fresh browser profile with only Bitwarden for that test.

pdf avatar Dec 05 '25 18:12 pdf

Another odd datapoint - having devtools open only causes the extension to start functioning correctly if devtools is in a separate window, does not have any effect if devtools is docked.

Attached is a log with devtools for the calling page popped to a separate window, where the extension triggers as expected while devtools is open.

EDIT: Replaced log with a slightly cleaner version from a new session, after logging into the extension.

console-1764961421657.log

pdf avatar Dec 05 '25 19:12 pdf

Hi there,

I am unable to reproduce this issue, it has been escalated for further investigation. If you have more information that can help us, please add it below.

Thanks!

jtodddd avatar Dec 08 '25 14:12 jtodddd

@jtodddd I was able to reproduce immediately under a clean user account with the following steps:

  1. Install Chromium flatpak
  2. Install Bitwarden extension
  3. Log into Bitwarden
  4. Navigate to https://webauthn.io and attempt to register.
  5. Fail

pdf avatar Dec 08 '25 14:12 pdf

I was also unable to replicate this when testing with Omarchy using it's fork of chromium and the normal extension install.

keithhubner avatar Dec 11 '25 09:12 keithhubner

Maybe it's something to do with flatpak somehow? Happens for me for both Ungoogled Chromium and regular Chromium, both from flathub.

pdf avatar Dec 11 '25 11:12 pdf

all these can't work with Webauthn+BW Brave from RPM Chromium from Flatpak Chrome from Flatpak

but If I create another profile(not just private tab) or disable BW extension, then webauthn works fine.

OK if you have physcial key you can disable BW extension popup https://community.bitwarden.com/t/allows-you-to-completely-disable-the-passkey-function/70753

chisaato avatar Dec 12 '25 08:12 chisaato

@chisaato @pdf Can we try to narrow down if the problem is originating from chromium/chrome/brave being installed from those channels (Flatpak/RPM)?

Are you able to install chrome(ium) from some other channel?

abergs avatar Dec 12 '25 12:12 abergs

@abergs flatpak is probably the most universally available method for installation across distros, should be very easy to repro via that method?

We've already had some confirmation that there are sources that work without producing the issue, but a simple and consistent reproduction case should be the best avenue for working out what the problem is?

pdf avatar Dec 12 '25 12:12 pdf

Image

Front: Brave+Flatpak and enable BW notification -> Webauthn Fail Back: Brave+RPM and disable BW notification -> Webauthn OK

also my BW account has MFA with Webauthn and I can login with Webauthn, but after login to extension, Webauthn fails.

chisaato avatar Dec 12 '25 17:12 chisaato

Are you able to install chrome(ium) from some other channel?

FWIW, I can confirm that the chromium build from the Arch repos does not reproduce the problem.

pdf avatar Dec 12 '25 21:12 pdf

Im seeing this on my mac running chrome. Version 143.0.7499.109 (Official Build) (arm64)

janstadt avatar Dec 14 '25 17:12 janstadt

@pdf Insightful, thank you.

Any other details about your system, what locale/language setting is being used?

@janstadt That's very surprising. What OS version are you on? And what locale/language? Have it never worked on chrome or did the behaviour change recently?

abergs avatar Dec 15 '25 09:12 abergs

@abergs system locale is en_AU.UTF-8, I changed zero settings after installing the browser, so whatever English it defaulted to.

It has been broken for quite some time, but I didn't connect it to Bitwarden until recently. I use Keeper in my work profile and that works fine, even in the same browser install (with a separate profile).

I'd really recommend testing via Flatpak - there are multiple confirmations here that this is a reliable reproducer.

pdf avatar Dec 15 '25 09:12 pdf

@pdf Insightful, thank you.

Any other details about your system, what locale/language setting is being used?

@janstadt That's very surprising. What OS version are you on? And what locale/language? Have it never worked on chrome or did the behaviour change recently?

Tahoe 26.0 (25A354) EN/US. I just started noticing int in the last few months. Im running behind a DNS adblock so im gonna test disabling that for a bit as well as disabling all my other chrome extensions. Safari works so im thinking it might be a different extension or something?

janstadt avatar Dec 16 '25 02:12 janstadt

Oh man.....I had Bitwarden Password Manager BETA installed.....i sure hope i didnt install a bad extension. Its working now with just the mainline version. 26.0 (25A354)

Edit: I see that bitwarden did in fact have a beta extension so i feel a bit more reassured i didnt have install any trojan horse extension or anything. https://chromewebstore.google.com/detail/bitwarden-password-manage/hccnnhgbibccigepcmlgppchkpfdophk

janstadt avatar Dec 16 '25 03:12 janstadt