Is there any security or privacy issue with the bitwarden web vault retrieving site icons?

The bitwarden web vault, by default, retrieves site icons for every site listed in your vault.

To do this, it makes many https calls to vault.bitwarden.com. Each call includes the name of one of the sites in your vault.

Simplifying the url a little, the vault makes calls like:

https://vault.bitwarden.com/your-private-site-1/icon.jpg
https://vault.bitwarden.com/your-private-site-2/icon.jpg
https://vault.bitwarden.com/your-private-site-3/icon.jpg
etc.

Is this a security or privacy concern at all?

For example, let’s say you have to log in to the web vault using a secure device, but on an insecure network (public wifi, for example). From what I understand, this is okay, because all the transmitted data is encrypted by HTTPS. But can someone looking at server logs see that you just accessed:

https://vault.bitwarden.com/your-private-site-1/icon.jpg
https://vault.bitwarden.com/your-private-site-2/icon.jpg
https://vault.bitwarden.com/your-private-site-3/icon.jpg
etc.

thus giving them a list of every site in your vault?

HTTPS encrypts the full URL, so they will not show up in the network logs of the network you’re connected to.

At best, someone looking at the logs will be able to see connections to ‘bitwarden.com’, but not the full URL.

1 Like

Thanks. Do they always see the ‘bitwarden.com’ part? Or just in certain scenarios?

You should count on it always being visible. It’s called Server Name Indication and is used by servers to host multiple secure sites from the same IP.

1 Like

Thanks @ShirokaiLon.

The Discourse software cut off the snippet at a rather critical point in your post, so I’ll add the important text here:

The desired hostname is not encrypted in [the] original SNI extension, so an eavesdropper can see which site is being requested.

Later in the Wikipedia article they mention:

As of mid 2018, an upgrade called Encrypted SNI (ESNI) is being rolled out in an “experimental phase” to address this risk of domain eavesdropping

We have a help article that covers this topic:

https://help.bitwarden.com/article/website-icons/

Hello , my query is related to this topic.
I was looking for a clarification regarding the website-icon cache that is stored locally on our computer (and not about fetching the websites-icons from the endpoints.)
Unfortunately the help article “Privacy when using Website Icons | Bitwarden Help & Supportdoes not mention anything about the security of local cached storage of website icons.
On doing some checks myself , i found that the website icons were stored in an unencrypted format in the cached local storage, which could be viewed with any image viewer irrespective of lock state of the vault. Though some of them threw unsupported error but still could manage to see some of the web-icons. The directory i am referring to in case of windows is C:\users\user\AppData\Roaming\Bitwarden\Cache.

It would be great if there was some clarification regarding this.
If its the case as i indicated above , then it might be good idea to disclose it somewhere as to enable users to be better aware about their privacy/security threats.

For example- This might helpful for a user to decide, whether to keep website-icons on or off on a work computer/ etc.
I hope this would be clarified soon.
Thanks

1 Like

Thanks for the suggestion! We can definitely provide a little clarity on this in the Help Center article.

1 Like