My understanding is that several malwares (like the recent HWInfo/CPUID) infect browser extensions to steal username/passwords/urls when someone access a specific site.
Is it fair to assume that exposure would be limted to only pages visited and the rest of the bitwarden entries are not exposed?
What about OTP stored in Bitwarden? are they exposed during filling the form? although they are only valid for a small amount of time…
What about Passkeys stored in Bitwarden?
would it make sense to keep OTP outside of bitwarden completely like in Ente Auth?
If there is malware on your device while you are using an unlocked session of Bitwarden, then the malware would be able to access all of your decrypted vault data, including all usernames, passwords, and TOTP authentication keys (which can be used to generate an arbitrary number valid TOTP codes), as well as stored all passkeys.
Only if you install Ente Auth on a device that is never used to login to Bitwarden. And if you never store passkeys in Bitwarden.
in this context I am referring to a malware within the browser (like a corrupted extension). My understanding is that browsers extensions are sandboxed; so does a compromised Extension X has the ability to access a bitwarden extension within the same browser?
All an attacker needs to do is to add an invisible script to a legitimate download, which executes when the download is run.
…
By abusing the unrestricted nature of content scripts, we built an extension that silently modifies every file download initiated from any website. The user clicks a legitimate download link on a trusted domain, using a browser they trust. The file downloads exactly as expected.
…
Without breaking the original application, without triggering warnings, and without requiring any additional permissions, the extension appends attacker-controlled code to every downloaded executable.
I feel this research is missing some information, or is outright not showing default (and enhanced) security behaviors. When you download an executable file from the web:
It is marked by “Mark of the Web,” which triggers defensive behaviors from Windows/Windows Defender when it is not a well-known app (the original app may be, but the appended app shouldn’t be).
Reputable software is usually signed, as with the Spotify app. A signature mismatch from modification may raise additional flags.
Point 1 means the user will, by default, get a warning if the file doesn’t pass Windows SmartScreen, which it shouldn’t if modified. Point 2 means that if the installer requires elevation (not the case here, since the Spotify executable is just a downloader), you’ll get signature-mismatch installation warnings.
I think the extension’s permissions and the lack of non-store security validation are serious concerns, but the research’s lack of detail on how they overcame those defenses already in place may oversimplify the real-world situation and over-hype the threat (which could help sell their products).
We need independent researcher validation beyond publications echoing the original research.
The HWMonitor/CPUID hack appears to be more than a browser-extension issue — it was a supply-chain attack on a privileged Windows app, which, BTW, caused Windows Defender to flag it (possibly heuristically) for the original Reddit poster; they actually had to override the security warning.
Not directly, barring grb’s scenario, as you have already figured out. Assuming just a browser-extension supply-chain attack, unless it also uses a browser exploit, the extension would only have the permissions it’s granted, which could include cookie/session theft but not reading another extension’s private data or memory. Some BW developer mentioned that extensions were pretty well sandboxed from one another (unless allowed to interact by permissions).
A browser extension typically has access to the web pages you visit, so it can see credentials entered on those pages (email/username, password, TOTP codes) and potentially URLs with parameters that may include sensitive information. A browser extension compromise probably warrants resetting cookies/sessions, all credentials (excluding TOTP) that were used while the malicious extension was active, and possibly all important accounts’ credentials.
A compromise like the privileged HWMonitor may warrant assuming a total compromise.