Notification of "Log in with device" without any action

Hi,
I received a notification from the Bitwarden app on my phone stating:
“Confirm login attempt for [xxx@xxx]”
The email address is indeed mine, but I didn’t initiate any login or action on Bitwarden. I know that the “Log in with device” feature can only be used from a known device, and I have only been logged in via the browser extension and my phone. I’ve checked my devices, my PC had been off for more than 24 hours, while my phone was locked.

I’m concerned that someone might have attempted to access my account, and I don’t understand how this would be possible. It would require knowing my email (which is only used for Bitwarden) and having access to a device on which I’ve previously logged in. Could this be a bug or an issue related to the “Log in with device” feature? Is it possible that this notification was triggered erroneously?

Thanks in advance for your help!

@Comkpa136 Welcome to the forum!

I’m only speculating, but perhaps the “known device” token can be exfiltrated, similar to the way that some malware exfiltrates session cookies.

I would also suggest that you contact support to make Bitwarden aware of the issue, and to see if they can provide any insight.

While you are waiting for BW response, if there are repeated attempts:

  1. The mobile app has the option to turn off being an approval device
  2. Deauthorizing sessions from the web vault, after making sure you have the correct master password and 2FA, theoretically gets rid of all such tokens, but you may want to do this from a malware-free machine.
  3. The requesting IP address might be useful (e.g. if it is traced to a foreign country)

But if tokens were lifted from your devices, you also need to consider malware, likelier on your computers than on your mobiles. Some infostealers/malware can execute and disappear without a trace, but some will linger. I personally would scan with Anti-viruses / Anti-malware immediately regardless.

Thank you for your help.

I have contacted support and am waiting for their reply.
I’ve also run several checks on my computer with Malwarebytes etc, and I haven’t found any problems.
My iPhone is not jailbroken, I only have “famous” applications and I’m not a “high” target.

About the option to turn off approval device I didn’t find it, apparently this is no longer possible since an update: ttps://github.com/bitwarden/clients/pull/9495
The 2. is already done, and for the 3. I didn’t see the attempt in the application, the request remains 15 minutes so it was too late when I saw the notification.

1 Like