Log-out of all sessions doesn't log me out from my mobile device


#1

Nearly two weeks ago I deauthorized all my bitwarden sessions from web vault. My browser extension session has been deauthorized, however, my android client session did not. After nearly two weeks, I can still access my vault from my android app – I would expect my android session to expire, too. Is this a bug? Does that behavior occur to other users?


#2

Hi,
Was your Android 's device connected when you did it? And did you try using the button to sync the client afterward?
I’m curious about it, because if even with those cares it can happen, it’s put the user in a situation where he can believe that a lost device will disconnect as soon as it is connected or at least try to sync. So if it stays connected infinitely (depending of client’s settings chosen by the user), this “Deauthorizing” option do nothing except adding risks by making the user not changing other security options thinking that everything is ok.
If it’s the case, it have to be corrected.


#3

Yes, it was connected to the internet.

Yes, I pressed the “Sync Now” button on the android client. But the android client didn’t lock me out.

Yes, I agree with that point.


#4

My suggestion is to report it directly on this page:
https://bitwarden.com/contact/

You can even send a link to this post in your mail.

Could you please reply here and report the answer to your inquiry? I am interested in knowing.


#5

Okay, here is update on the situation.

As I said, last time I used web vault to deauthorize all sessions, bitwarden didn’t lock me out of my android client. Today, I tried to deauthorize myself out of the bitwarden again, using the web vault. Again, my browser extension got deauthorized, however, the android app session did not.

That was distressing.

I continued on the android app, under settings, to manually sync the app. However, app responded “sync failed”. And I checked the last sync time, it was 22.08.2019! So, even though I could reach my vault on the android app, it was a pretty outdated version of it.

Then, I manually logged out of the android app, and logged back in.

So, the key take away is this: deauthorize all sessions did not work on the android app. After pressing “Deauthorize all sessions” on the web vault, my android app session still stayed, however it has failed to sync.

@jseb I haven’t emailed Kyle yet. Maybe he can chime in here @kspearrin

I hope this bug does not repeat itself in the future.


#6

I agree that this bug should be addressed rapidly. I hope that Kyle Spearring will take it seriously and correct it ASAP.


#7

I am not able to reproduce the problem. If I try to sync the android app after de-authorizing sessions from the web vault, I am immediately logged out.


#8

Yes, that’s what generally happens. What I described above was the first time I experienced that issue. Nonetheless, it deserves attention, I would say.


#9

On my device, if Bitwarde’s app is opened it gets disconnected but, if not, as soon as synchronization is called, it finally disconnects. In between, if it isn’t locked, everything is accessible… It should disconnect without making this issue happening. But, your situation is worst. Even on sync, it stays connected…


#10

Same thing happened to me. Deauthorize all sessions didn’t log me out on my mobile device. Syncing would just say “sync failed” but not log me out. I feel like this is a security issue that should be addressed.

If I deauthorize all sessions, it should log me out of all logged in instances.


#11

thanks for reporting in. that sounds just like what I reported.

unfortunately this increases the concern, making my original report not a singular issue.


#12

Yeah it’s definitely concerning and should be addressed as a critical security issue.