Is there any security or privacy issue with the bitwarden web vault retrieving site icons?

The bitwarden web vault, by default, retrieves site icons for every site listed in your vault.

To do this, it makes many https calls to vault.bitwarden.com. Each call includes the name of one of the sites in your vault.

Simplifying the url a little, the vault makes calls like:

https://vault.bitwarden.com/your-private-site-1/icon.jpg
https://vault.bitwarden.com/your-private-site-2/icon.jpg
https://vault.bitwarden.com/your-private-site-3/icon.jpg
etc.

Is this a security or privacy concern at all?

For example, letā€™s say you have to log in to the web vault using a secure device, but on an insecure network (public wifi, for example). From what I understand, this is okay, because all the transmitted data is encrypted by HTTPS. But can someone looking at server logs see that you just accessed:

https://vault.bitwarden.com/your-private-site-1/icon.jpg
https://vault.bitwarden.com/your-private-site-2/icon.jpg
https://vault.bitwarden.com/your-private-site-3/icon.jpg
etc.

thus giving them a list of every site in your vault?

HTTPS encrypts the full URL, so they will not show up in the network logs of the network youā€™re connected to.

At best, someone looking at the logs will be able to see connections to ā€˜bitwarden.comā€™, but not the full URL.

1 Like

Thanks. Do they always see the ā€˜bitwarden.comā€™ part? Or just in certain scenarios?

You should count on it always being visible. Itā€™s called Server Name Indication and is used by servers to host multiple secure sites from the same IP.

1 Like

Thanks @ShirokaiLon.

The Discourse software cut off the snippet at a rather critical point in your post, so Iā€™ll add the important text here:

The desired hostname is not encrypted in [the] original SNI extension, so an eavesdropper can see which site is being requested.

Later in the Wikipedia article they mention:

As of mid 2018, an upgrade called Encrypted SNI (ESNI) is being rolled out in an ā€œexperimental phaseā€ to address this risk of domain eavesdropping

We have a help article that covers this topic:

https://help.bitwarden.com/article/website-icons/

Hello , my query is related to this topic.
I was looking for a clarification regarding the website-icon cache that is stored locally on our computer (and not about fetching the websites-icons from the endpoints.)
Unfortunately the help article ā€œPrivacy when using Website Icons | Bitwarden Help & Supportā€ does not mention anything about the security of local cached storage of website icons.
On doing some checks myself , i found that the website icons were stored in an unencrypted format in the cached local storage, which could be viewed with any image viewer irrespective of lock state of the vault. Though some of them threw unsupported error but still could manage to see some of the web-icons. The directory i am referring to in case of windows is C:\users\user\AppData\Roaming\Bitwarden\Cache.

It would be great if there was some clarification regarding this.
If its the case as i indicated above , then it might be good idea to disclose it somewhere as to enable users to be better aware about their privacy/security threats.

For example- This might helpful for a user to decide, whether to keep website-icons on or off on a work computer/ etc.
I hope this would be clarified soon.
Thanks

1 Like

Thanks for the suggestion! We can definitely provide a little clarity on this in the Help Center article.

1 Like

On a related note I am fairly new to BW and in the process of migrating from 1PW. I was looking into the website icons use today and the references (in the FAQ info) about privacy concerns:

We understand that certain privacy-minded users may not want to use website icons. We provide the option to disable website icons on all Bitwarden client applications by turning off the following optionā€¦

Is there any option to manually load your own icons? This is a feature 1PW has had for some time allowing you to use any image to create a logo for a vault entry. In addition to allowing greater user customisation (which can help identify entries) this also eliminates the need for BW to ping external addresses to get the icons, thereby largely alleviating the privacy concerns expressed above? If not currently possible is there any technical reason why BW could not be modified to do this (or should not be for security reasons)? [aside from the identified exposed cache situation @Gaurav has already raised above which already exists.]

(P.S. This was a function I found especially useful while using 1PW the last couple of yearsā€¦)

EDIT: I have subsequently discovered (and as is typically the case, only shortly after posting this, via a vaguely related post) the 2018 Feature Request: Custom icons for items and folders/collections - so take it from this that it is not currently possible in BWā€¦

Hey @Mycenius thanks for the feedback, custom icons is not currently available but as referenced in the article above, you can disable icons in the settings menu.

Thanks @bw-admin - all good and yes Iā€™m across the option to disable. Actually Iā€™m more interested in what the pose as a privacy v. security risk, an dhow much of one, as detailed in item #6 my post here: Assessing Security & Safety vs. Convenience for Log In & PIN Options :grinning:

Except for in the web vaultā€¦ :face_with_symbols_over_mouth:

I mean, you can change the setting, but by then the icons have already been loaded. And the preference is not persistent, so the icons are loaded again on the next loginā€¦

Is there any reason why web icon option canā€™t be stored in the vault, like some of the other vault preferences (theme, etc.)?

Yep exactly. The other PW Manager Iā€™ve been using up to now appears to do that (although I have not verified that), and as it allows you to manually upload your own image file for each icon (I assume it resamples it to a suitable size at upload to save storage space - as I have uploaded some pretty big logo images into it in the past) it eliminates the need to source them externally completely (although still does do that be default where it can locate an icon).

P.S. And those locally stored icons (including the manually uploaded ones) appear even in itā€™s web vault instance.

That sounds like a good candidate for a feature request to help capture interest to share with the team.

Is there any reason why web icon option canā€™t be stored in the vault, like some of the other vault preferences (theme, etc.)?

2 Likes

Curiously enough my current PM only stores some of them encrypted in the vault (I had thought it was all - see here Protect yourself when using rich icons):

Icons you add to your itemsā€¦ are encrypted with the rest of your data. However, the rich icons that are automatically downloaded are not encrypted.

So going the whole hog and surpassing the above and storing all icons in the encrypted vault would be a big plus IMO - for both the apps/extensions and the web vault!

I would like to understand the security implications of retrieving icons a little bit better.

As far as I understand the documentation teh Bitwarden server is fetching the icons and I am woundering how the server can fetch the icons if only encrypted data is transmitted to the server.

But I might be wrong and the clients are fetching the icons? I would appreciate a little clarification on this topic very much!

@Quaser Welcome to the forum!

The clients are sending an unencrypted request to a special icon server (icons.bitwarden.net), which then fetches the icon and sends it back to the client.

For example, if you have a Google login stored in your vault, then the URL is stored in an encrypted form on the vault.bitwarden.com server, and may look as follows:

"uri": "2.Pji41crOzpH+JwKk7UcMiQ==|32aW9SbxB+g2ZzNVx0Y2bK8coA4gAmT8FyoGingXjStgJpqiMgcTKgPxdGfyIhenVeYe/d9U5RJ5UAq14eDm/daF94O+qTj5l4SZjkOsFDA=|KM1JmDnCwH6lEBQvwaSjYWujeO7A11zN8AV2wAyx2Bo="

This encrypted cipher string is fetched by your Bitwarden client app and locally deciphered, storing the decrypted URL (https://accounts.google.com/v3/signin) in the device memory only.

Subsequently, the Bitwarden client app sends an HTML request of the form https://icons.bitwarden.net/google.com/icon.png to the icon server (icons.bitwarden.net). The icon server then fetches the icon from google.com and delivers it to the requesting client, which stores it in a cache on the local device (e.g., C:\users\user\AppData\Roaming\Bitwarden\Cache). In addition, icon images are cached by Cloudflareā€™s Content Delivery Network, as described in the Help Documentation.

1 Like

@grb

Thanks for the welcome and for the clarification, that resolved my concerns regarding this funcioonality!

I would suggest, that Bitwarden adds your exppanation to the mentioned documentation. At leas for me this was not obvious!

2 Likes