clients
clients copied to clipboard
bitwarden
Vulnerability: Chrome extension saves vault in persistent local storage after logging out and exiting Chrome
Steps To Reproduce
- Log into vault using Chrome extension
- Log out of vault on Chrome extension
- Exit Chrome
- Navigate to %LocalAppData%\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
- Open the most recent *.log file using Notepad
- Optionally, use Edit/Find to search for terms such as "keyHash", "email", "login", "password", etc.
Expected Result
If the user has logged out, the vault should be expunged from persistent storage. Bitwarden documentation makes the claim: "Logging out of your vault completely removes all vault data from your device."
Thus, the *.log file (which contains vault data for the Chrome extension) should be deleted, or contain only a skeleton template structure with non-existent entries for "email", "keyHash", "login", "password", etc., or (at worst) empty values for all fields that hold secret/sensitive information.
Actual Result
The stored *.log file contains one or more copies of the encrypted vault, which persists even after logging out of the vault, exiting Chrome, and rebooting the computer, By scanning through the file, or by using search terms such as those suggested above, the full contents of the vault are revealed, including the email account in plaintext, the hashed version of the Master Key, as well as encrypted cipher strings containing all secrets. In effect, there appears to be no practical security difference between the locked state and the logged out state.
Screenshots or Videos
No response
Additional Context
The vault data can be easily be exfiltrated by anybody who has physical access to the computer for a short time, whether the computer is on or off. Using copied values of the fields "email", "kdfIterations", and "keyHash", the master password can be brute-forced if it is sufficiently weak, which would then allow a bad actor to access the web vault. Whether such a threat model is widely applicable or not, users have the expectation that encrypted vault data is removed from persistent storage upon logout; this expectation is not met for the Chrome extension. I have not tested other browser extensions.
Operating System
Windows
Operating System Version
Windows 10
Web Browser
Chrome
Browser Version
Version 103.0.5060.114
Build Version
2022.6.1
This seems to be related to the vulnerability that was disclosed in Issue #485 (Possible vulnerability in browser extension caused by browser.storage.local API implementation) in 2018. Based on the similarities between the current behavior and the 2018 issue, it would be worth testing whether the account encryption key itself is still readable from the *.log file when the vault timeout option has (ever) been set to "Never" in the Chrome extension (which was the crux of #485). However, please note that the vulnerability I am disclosing above exists even if the user has never elected the "never timeout" option.
Hi @bwbug ,thank you for raising this issue. The team will reproduce the issue which afterwards we'd investigate and look for potential solutions. Very appreciated!
@dbosompem Is there anything I can do to assist the team with reproducing this issue? In my opinion, this problem creates a significant vulnerability, because it effectively prevents the user from fully logging out of their vault when using the Chrome extension. I just wanted to check in to see if I can do anything to accelerate progress on this issue, since it's been 2 weeks since your last comment.
Hi @bwbug , thank you for checking in on this issue. I will do a quick follow up and get back to you on this; looks like we gave the other vulnerability a very high priority, but I will check in with the team and let you know if we have been able to reproduce this. Appreciate your proactiveness!
Follow-Up
Hello @dbosompem, since another 2 weeks have passed since you offered to "do a quick follow up" in with the team and let me know if they have been able to reproduce this issue (and 4 weeks since your original response stating that the team would be reproducing the issue), I hope you don't mind me checking in again. I realize that the team is busy and that development of a fix may take time, but in my opinion it should not be difficult to just clear the initial hurdle of reproducing the reported issue in this case. As previously, if there is anything that I can do to help accelerate progress (especially with regards to reproducing the issue), please let me know!
New Information
I would like to report the following new observation, as I believe it may be related to the same bug:
Even though the Bitwarden documentation on browser extension timeouts explicitly states "If you quit your browser, you will be logged out of both your web vault and browser extension," I have observed that if I quit the Chrome browser while the browser extension is logged in, and even if I subsequently reboot the computer, the browser extension remains logged in (although locked) when the browser is restarted (please note that I have not set the vault timeout to "Never"). This behavior is in direct contradiction with the expected behavior, and appears to be related to the inability of the Chrome extension to delete the locally stored data. If you believe that this behavior is unrelated to the present Issue, please let me know, and I will post a separate Issue.
Hi @bwbug, the team has been able to reproduce this now. Apologies for the long wait. It would be passed over to the dev team to take a look, but kindly note that we are working on the other vulnerability now. This will be visited when we get a good hold on that, first. With regards to the new observation, I believe it is not so related to this one, so we can create a new issue, the team will reproduce that as well.
Thank you for the update.
With regards to the new observation, I will wait to create a new issue until after the final disposition of #3124. If #3124 is fixed so that I can clear the vault from local storage by manually logging out of the browser extension, then I probably will not mind if the vault is not automatically logged out whenever the browser is closed (i.e., the new observation from my previous post).
