clients
clients copied to clipboard
bitwarden
Major Security Issue: Browser Plugin DID NOT LOCK
Steps To Reproduce
I'm not sure what produced this or how/if I can reproduce it.
I just noticed upon unlocking my Win 10 desktop where Firefox was already open, opening a tab, and logging into a new web site, that BW did not prompt me for a PIN.
I EXPECT that a browser restart will correct this issue, but it will not help plug this security flaw.
Expected Result
In similar situations, I would have had to enter a PIN to unlock BW.
Actual Result
BW remained unlock overnight, even with a LOCK timeout of 5 minutes, and Unlock with PIN checked.
Screenshots or Videos
Additional Context
I have NEVER had this happen before. Firefox has been running for about 24 hours since launch, with only one tab open. Even as I write this, BW has still not locked, which is a SERIOUS security issue. Before I noticed this, I had been adjusting some Firefox settings (menu, not config) in an attempt to get videos to appear in my Twitter feed, which have recently started showing as black image with no sound, even though the play bar showed movement.
I will leave this up for a while in case you would like me to do any further testing.
Operating System
Windows
Operating System Version
10 Pro 21H1 19043.1826x64
Web Browser
Firefox
Browser Version
101.0.1
Build Version
2022.8.0
Hi @GrizzlyAK and thank you for your report.
I was unable to reproduce this on a similar setup (Win10, Firefox, Bitwarden 2022.08).
Could it be possible that the popup was still open, a popped out window of the extension was open or Bitwarden was open in the Firefox sidebar? If the answer to any is yes, then this has previously been reported with https://github.com/bitwarden/clients/issues/854/
You also mention changing some settings on Firefox, do you remember which settings you changed, in case the above mentioned does not resolve this.
Please report back and provide further information or close this issue if it has been resolved.
Kind regards, Daniel
Could it be possible that the popup was still open
No.
I do not remember exactly which settings I changed, but I was flipping a lot of them off/on sequentially, although I do believe that all of the settings are as they originally were. I was testing to see if I could find ONE that was causing the issue with Twitter. I do know that I disabled all of my add-ons, except, I believe, BW.
As expected, I disabled the BW add-on, and after re-enabling it, I had to supply the Master PW. I will try to see if I can reproduce this problem. But I can attest that BW was in a "resting" state in my browser overnight (i.e., not open, but previously unlocked and used for logins) and failed to lock during that period.
One other thing I just noticed, is that I have a notification from Windows Update that "Your device will restart outside of active hours". I have noticed in the past that when WU is wanting me to restart, strange things often happen in Windows (in general).
I've experienced this once so far (this is how I found this bug). BW 2022.8.0 FF 103.0.1, 64bit, Fedora
When this occured I had not changed any FF settings, or done any changes to extensions. I just noticed that the extension was still unlocked when it should not have been. Manually selecting "Lock now" from the settings menu also did not lock the vault. I had unlocked the vault, and used it, I believe, only in private windows, through the Right click->Bitwarden->Auto fill functionality. I've not been able to reproduce this so far, but if it ever happens again, are there logs/debug information that I could collect?
I have started experiencing this issue recently. BW: 2022.8.0 FF: 103.0.2, 64bit System: macOS
I have the settings to lock from the day one & it used to lock automatically after inactivity. Now it hasn't locked from 2 days. "Lock Now" failed for me as well.
Even closing the browser didn't lock the extension. When I quit the browser that's when I see it locked again.
What happened to the Bitwarden browser plugin? Not only will my BW client in Firefox no longer lock after the timeout has lapsed, but it won't lock using the Lock Now command in Settings either. I've also noticed that Search is fracked and returns NOTHING when entering anything.
For example, I search for "github" and...
and I just used it to log into to Github to post this! You can see, the little "1" on the BW badge indicating that Github knows it's there yet... 🤷♂️
I'm quickly losing confidence in the security of BitWarden. I hope this can be resolved soon. None of these issues affect the Desktop App. It locks after the timeout and Search works fine. Is anybody seeing this in any other browsers than Firefox?
Is there a way to install a previous version in FF, maybe?
I saw there was an "Info Needed" tag added. What Info do you need? I thought this would get a little more attention.
EDIT: I just disabled the BW Add-on in FF and re-enabled it, and after logging in again, Search works fine, as does Lock Now, as does the timeout lock. So this appears to be a transient bug that is triggered by some internal corruption after a period of time.
Like @GrizzlyAK, my FF Lock Now button wasn't working, and toggling extension enabled fixed it.
Like the others, this morning I experienced an unlocked vault without re-entering my password. Vault timeout set to 1 hour.
I agree with @GrizzlyAK that this a security issue worth prioritizing. LMK if I can help reproduce.
@djsmith85 I see this error in my browser console from vaultTimeout.service.ts:
None of the “sha512” hashes in the integrity attribute match the content of the subresource.
However, that was several minutes after the issue occurred (i.e. after I expected my vault to be locked).
My vault is also permantly unlocked despite having a vault timeout of "1 minute", and vault timeout action of "Lock". Even pressing on the "Lock Now" does nothing. Wonderful security.
OS: macOS Monterey 12.4 Browser: Firefox 104.0.2 Extension: 2022.9.1
FYI restarting my browser entirely seems to have solved the issue
I had some similar problems before. If I used the browser with a memory-intensive site for a while (sites with unending feeds), my vault wouldn't time-out, the lock-now didn't work, the folders disappeared, etc. After I removed the extension, and reinstalled, all the said problems went away and haven't happened again. Hope this help.
@Tipoff4317 thanks for reporting this. Although I haven't noticed my vault in FF not locking for a little while now, I went ahead and uninstalled BW and reinstalled it as suggested. It won't hurt. I'll report back if I see it again. Please do the same. Cheers.
I've had this issue happen a number of times, not quite sure why but here are trivial steps to reproduce the issue:
OS: Windows 10 21H2 Browser: Firefox 107.0.1 (64-bit) Extension Version: 2022.10.1
- Click on the Bitwarden extension while the vault is locked
- Enter master password
- Click on the "+" icon in the top right to start adding a new login
- Click somewhere outside the extension UI.
- Your vault will now stay unlocked until you restart your browser or disable and re-enable the extension.
Note that after Step 4. even the "Lock now" button does not lock the vault.
This is a huge security issue and should be prioritized.
I can confirm that what @0x00A posts above is true for me as well. This observation should hopefully help the team at Bitwarden track this issue down and put a quick end to this massive security flaw. @djsmith85
Hi all. thanks for the additional context you have provided. I'm going to raise this internally, and we will look into this. Will provide feedback once we have a known ETA. Thanks for the patience!
We have recently moved over around 150 users to Bitwarden from Lastpass. Set the organization policy for Vault Timeout to 2 hours max, but users are reporting that their extensions are still unlocked on login after several days of being away from the device. This is a major concern for us. Any update on a timeline for a fix?
Hi @DeskDude47 and welcome to Bitwarden. This issue is something we have been researching into, to ensure we tackle the root cause. Efforts are still being made to ensure it's resolved. I will update this thread once an ETA is confirmed. Thank you for the patience!
As of today, this issue still exists (Firefox V109.0.1, BW Add-on V2023.1.0), where my vault did not lock overnight. I have it set to Lock after 5 mins and reopen with PIN. Lock Now does not work. The only thing that seems to reset it, as mentioned by others, is to disable the Add-on and re-enable it in Firefox Add-ons and Themes. During the time this has occurred, I have basically been using Windows 10x64 to read PDF files using Acrobat Reader X Pro (v10.1.16) and reading email via Thunderbird V102.8.0), and have, at times, had two/three different instances of Firefox running, launched by moving a tab to another screen. The latter may be significant.