Is there any security or privacy issue with the bitwarden web vault retrieving site icons?

The bitwarden web vault, by default, retrieves site icons for every site listed in your vault.

To do this, it makes many https calls to Each call includes the name of one of the sites in your vault.

Simplifying the url a little, the vault makes calls like:

Is this a security or privacy concern at all?

For example, let’s say you have to log in to the web vault using a secure device, but on an insecure network (public wifi, for example). From what I understand, this is okay, because all the transmitted data is encrypted by HTTPS. But can someone looking at server logs see that you just accessed:

thus giving them a list of every site in your vault?

HTTPS encrypts the full URL, so they will not show up in the network logs of the network you’re connected to.

At best, someone looking at the logs will be able to see connections to ‘’, but not the full URL.

1 Like

Thanks. Do they always see the ‘’ part? Or just in certain scenarios?

You should count on it always being visible. It’s called Server Name Indication and is used by servers to host multiple secure sites from the same IP.

1 Like

Thanks @ShirokaiLon.

The Discourse software cut off the snippet at a rather critical point in your post, so I’ll add the important text here:

The desired hostname is not encrypted in [the] original SNI extension, so an eavesdropper can see which site is being requested.

Later in the Wikipedia article they mention:

As of mid 2018, an upgrade called Encrypted SNI (ESNI) is being rolled out in an “experimental phase” to address this risk of domain eavesdropping

We have a help article that covers this topic:

Hello , my query is related to this topic.
I was looking for a clarification regarding the website-icon cache that is stored locally on our computer (and not about fetching the websites-icons from the endpoints.)
Unfortunately the help article “Privacy when using Website Icons | Bitwarden Help & Supportdoes not mention anything about the security of local cached storage of website icons.
On doing some checks myself , i found that the website icons were stored in an unencrypted format in the cached local storage, which could be viewed with any image viewer irrespective of lock state of the vault. Though some of them threw unsupported error but still could manage to see some of the web-icons. The directory i am referring to in case of windows is C:\users\user\AppData\Roaming\Bitwarden\Cache.

It would be great if there was some clarification regarding this.
If its the case as i indicated above , then it might be good idea to disclose it somewhere as to enable users to be better aware about their privacy/security threats.

For example- This might helpful for a user to decide, whether to keep website-icons on or off on a work computer/ etc.
I hope this would be clarified soon.

1 Like

Thanks for the suggestion! We can definitely provide a little clarity on this in the Help Center article.

1 Like

On a related note I am fairly new to BW and in the process of migrating from 1PW. I was looking into the website icons use today and the references (in the FAQ info) about privacy concerns:

We understand that certain privacy-minded users may not want to use website icons. We provide the option to disable website icons on all Bitwarden client applications by turning off the following option…

Is there any option to manually load your own icons? This is a feature 1PW has had for some time allowing you to use any image to create a logo for a vault entry. In addition to allowing greater user customisation (which can help identify entries) this also eliminates the need for BW to ping external addresses to get the icons, thereby largely alleviating the privacy concerns expressed above? If not currently possible is there any technical reason why BW could not be modified to do this (or should not be for security reasons)? [aside from the identified exposed cache situation @Gaurav has already raised above which already exists.]

(P.S. This was a function I found especially useful while using 1PW the last couple of years…)

EDIT: I have subsequently discovered (and as is typically the case, only shortly after posting this, via a vaguely related post) the 2018 Feature Request: Custom icons for items and folders/collections - so take it from this that it is not currently possible in BW…

Hey @Mycenius thanks for the feedback, custom icons is not currently available but as referenced in the article above, you can disable icons in the settings menu.

Thanks @bw-admin - all good and yes I’m across the option to disable. Actually I’m more interested in what the pose as a privacy v. security risk, an dhow much of one, as detailed in item #6 my post here: Assessing Security & Safety vs. Convenience for Log In & PIN Options :grinning:

Except for in the web vault… :face_with_symbols_over_mouth:

I mean, you can change the setting, but by then the icons have already been loaded. And the preference is not persistent, so the icons are loaded again on the next login…

Is there any reason why web icon option can’t be stored in the vault, like some of the other vault preferences (theme, etc.)?

Yep exactly. The other PW Manager I’ve been using up to now appears to do that (although I have not verified that), and as it allows you to manually upload your own image file for each icon (I assume it resamples it to a suitable size at upload to save storage space - as I have uploaded some pretty big logo images into it in the past) it eliminates the need to source them externally completely (although still does do that be default where it can locate an icon).

P.S. And those locally stored icons (including the manually uploaded ones) appear even in it’s web vault instance.

That sounds like a good candidate for a feature request to help capture interest to share with the team.

Is there any reason why web icon option can’t be stored in the vault, like some of the other vault preferences (theme, etc.)?

1 Like

Curiously enough my current PM only stores some of them encrypted in the vault (I had thought it was all - see here Protect yourself when using rich icons):

Icons you add to your items… are encrypted with the rest of your data. However, the rich icons that are automatically downloaded are not encrypted.

So going the whole hog and surpassing the above and storing all icons in the encrypted vault would be a big plus IMO - for both the apps/extensions and the web vault!