Bitwarden hijacked passkey creation but did nothing later

bitgarden · May 31, 2024, 12:57pm

When I tried to use my yubikey as a security key to my google account, bitwarden hijacked the passkey creation process and I couldn’t bypass it for yubikey. So I said OK let me try and see what bitwarden passkey could do for now and let it add a passkey in the related google account.

Now whenever I try to do something and google asks for passkey, nothing happens. Bitwarden doesn’t do nothing with its passkey sitting in the vault.

The account is half locked now. I can’t change any security settings because I lost the passkey to bitwarden.

Nail1684 · May 31, 2024, 1:07pm

@bitgarden Hi!

In the popup window, there is this option with which you could have gotten to the YubiKey:

So your Google passkey is still in your “Google” vault item in Bitwarden?

In the extension, go to Settings → Excluded domains. If there are Google domains in the list, delete them.

(In Settings → Options → “Passkeys” are activated, I assume? Otherwise Bitwarden wouldn’t show you the passkey-popup…)

bitgarden · May 31, 2024, 1:46pm

In the popup window, there is this option with which you could have gotten to the YubiKey:

I know this. It was there for 2fa security key. But there wasn’t this option for passkey creation. You can try on google website adding passkey (not 2fa security key).

I will try exclude google domain and see if bitwarden would work as passkey. I do have google domain in the excluded list.

grb · May 31, 2024, 7:53pm

Then you need to delete it from the excluded list (if you want to use the passkey stored in Bitwarden).

bitgarden · June 1, 2024, 1:19am

Deleting google domain from the excluded list gets bitwarden to be used for passkey prompt.

Now we still need one more thing to fix: bypassing bitwarden passkey intervention. There’s no opt out option in either passkey creation or usage.

The following is me trying to creating a new passkey but getting hijacked by bitwarden:

grb · June 1, 2024, 1:34am

In your browser extension, go to Settings > About. What version of the browser extension do you have installed? And what is your browser and operating system?

bitgarden · June 1, 2024, 2:31am

Linux x86-64bit
brave browser:
Version 1.66.115 Chromium: 125.0.6422.112 (Official Build) (64-bit)

Bitwarden Password Manager 2024.4.2

grb · June 1, 2024, 3:02am

Not sure why your prompt looks like that. In the 2024.4.2 browser extension for Chrome on Windows 11, if Bitwarden already has a passkey for a site, then the prompt looks as follows:

In the above prompt, clicking Save passkey leads to the following alert:

It’s unclear to me why your prompt looks so different.

Perhaps you can try creating a test account on the demo website https://www.passkeys.io/, then saving a passkey in Bitwarden, and subsequently creating a second passkey to store in Bitwarden. Do you get the same prompt (“A passkey already exists for this application”) as you are getting on google.com, or do the prompts now look like mine?

Unfortunately, I don’t have a Google account for testing, and I’m not about to create one.

bitgarden · June 2, 2024, 2:41am

Tried on passkeys.io so there was the option for using hardware keys instead.
I don’t know why it wasn’t there when I was creating a passkey for google, whose domain name had even been in the exclusion list at that time.
There was also a brave browser update between then and now. So not sure what happened…

grb · June 2, 2024, 2:52pm

So is it working on Google, too, now?

Zaulao · July 21, 2024, 3:58am

Not OP but I’m facing the same issue: When creating passkeys for other websites I’m able to chose for “Use your device or hardware key” but not for Google. This option simply doesn’t exists. Adding “google.com” to the exclusion list doesn’t work either.