Hello.
When I create a ticket on the Help page (Help Center | Bitwarden) and contact support, I am asked to enter an email address. Does it have to be the Bitwarden account email address?
I think this could be a security issue, as it means I am revealing one of the ways to access my password vault.
I use an address for my Bitwarden vault and account only, and nowhere else. So I am not happy about using this specific address here.
It would be better to ask for “any” email address, but not for the specific account email address right here. In case the support need the mail address they can ask for it.
Greetings.
PS: Sorry to post this here in section. But there is no section for e.g. the website or general topics.
They use it to “verify” that you are the owner of the account, so they specifically ask you to use the Bitwarden address. This is an item that the account holder and Bitwarden will most likely have, regardless of having access to the Bitwarden vault.
I don’t think this is a requirement. However, if you want priority support, which is a Premium benefit, then you should use the email address associated with your Premium account.
What is your specific concern? To whom would your address be revealed, other than Bitwarden employees (who already know your email address)?
Not a specific concern. More like a general “concern”.
Like when using an insecure WiFi? I don’t know … maybe i think too much about things i know too little about.
It’s not necessary, but it does help the Bitwarden support team identify what account you’re contacting them about, which can speed up the resolution to whatever problem you are having. Bitwarden also replies to this email though, so if you don’t check your account email often, it might be better to contact support from another one.
I’m not sure what that question is or if it was directed at me, but -
Regarding privacy, here is Bitwarden’s privacy policy.
Regarding security, the bitwarden.com site where the contact form is hosted is included in regular security audits performed by third parties.
With regards to privacy, your Bitwarden email address is already stored in plaintext in Bitwarden’s database (this is required to retrieve the user-specific KDF configuration required to complete the E2EE part of the authentication process), so you are not disclosing anything that they don’t already know.
With regards to security, the form is submitted via HTTPS, so it is TLS-encrypted. When you get a response from Bitwarden via email (no matter what email address you are using for communication), that will most likely be encrypted the same way (TLS), so I don’t think that submitting your email address using the online form causes any reduction in security.
I suppose there could be some benefit (or at least peace of mind) to be gained by a support contact form that is accessed from inside the clients apps (or at least the Web Vault), which would make possible EAS-encryption of the communication. However, this would have to be in addition to the current public web form, to make it possible for users who are having trouble logging in to get support.
