attacker gets access to code supply chain of an extension you use, (adblock? grammerly? clipper?) Another way is some idiot just buying the extension as an investment, and just bungling the security of hosting and compiling the code
when you are signing into a site, the intermittently rogue extension swaps its icon to the bitwarden icon and puts bitwarden into the extensions tray. Because you are looking at the password field of a website, you don’t notice this. It only takes less than a second. Store app scanning doesn’t catch this. Ultimately, there is no way to tell if any of your extensions are secure, because at a minimum every maintaining dev who’s compiling those binaries needs perfect security. So, every extension is an attack surface.
you are prompted for your bitwarden password, but it’s actually the other extension that is impersonating bitwarden and you haven’t been logged out.
you can also be prompted for your 2FA; google authenticator, app prompt, yubikey etc. Does any 2FA even make any difference?
Are there any ways Ways to improve Bitwarden against this or ways to use bitwarden more securely?
Show the fingerprint phrase on every login with screenshots disabled. Rolling fingerprint phrases?
Don’t use the laptop for logging in. Use the phone?
Bigger idea: try to put everything server side, using a phone to authenticate logins?
edit:
User advice in the short term: Uninstall any extension that isn’t essential. Use a separate account?
I think using “Login with Device” and “Unlock with Biometrics” might make it possible to spot swapping. A fake Bitwarden extension wouldn’t have the “familiar device” token for Login with Device. If someone usually unlocks their vault with Biometrics and suddenly finds themselves logged out, they might start investigating. Was there an update? No? Hmm…
2FA here probably doesn’t make any difference at all; the fake Bitwarden extension would just imitate whatever the real extension does to get the password and the encrypted vault.
My understanding is that using a Yubikey as 2FA would not be susceptible to a phishing or Attacker-in-the-Middle scheme.
Do not allow other extensions to be active other than Bitwarden’s extension. A simple way to accomplish this is to allow only Bitwarden’s extension to be used in Incognito/Private mode, and then use only Incognito/Private mode if you need to access credentials from Bitwarden.
susceptible to a phishing or Attacker-in-the-Middle scheme
Is the Attacker-in-the-Middle that FIDO2 usually protects against just a website pretending to be the real one? In that case, the protocol would stop you from logging in to the wrong domain. But what happens if a malware extension perfectly copies the Bitwarden authentication process and connects to the Bitwarden server, just like the legit extension does? How does the protocol protect against interacting with the wrong client on the same machine, authenticating with the correct domain?
I admit this is a bit outside my expertise, but I’m having trouble envisioning how this could be made to work.
If a rogue extension acts as an AitM, it would certainly be able to collect the victim’s username/password, and could then forward those credentials to a legitimate Bitwarden client (running on the attacker’s hardware), to attempt to get access to the account. However, the legitimate client would then open the webpage https://vault.bitwarden.com/#/2fa, which would be the relying party for the FIDO2 authentication ceremony. If the rogue extension attempts to serve https://vault.bitwarden.com/#/2fa page, I doubt that it will successfully be able to complete the authentication ceremony. A simple experiment shows that launching the https://vault.bitwarden.com/#/2fa page out of context will just redirect to https://vault.bitwarden.com/#/login. So the legitimate client must be passing some data with the GET request, allowing the server to recognize the request as part of a valid login attempt. Add to that the fact that if the FIDO2 authentication ceremony is completed (on the victim’s device), presumably creating some kind of token that can be submitted to the server, then that token must be transferrable to the attacker’s computer in order for the AitM scheme to succeed.
I would need some convincing that this process could be spoofed.
I envision how this would work differently. Right now, somebody potentially can write a legitimate alternative Bitwarden extension that can access user’s vault in lieu of Bitwarden extension, right? So, the alternative extension needs to authenticate the user and download the vault just as a Bitwarden extension would. It’s possible for another extension to authenticate the user using FIDO2 as 2FA and download the encrypted vault.
So, in the context of the polymorphic extension malware, it authenticates the user to the real Bitwarden server as a newly installed Bitwarden extension would. It passes the server all the info that the server requires, including the email and some hashes, and when the server asks for 2FA, it does the same thing as the real extension does, using the web browser as the FIDO2 client (by opening another tab, etc.), the FIDO2 key as the authenticator, and Bitwarden server as the relying party, and does whatever the real extension does to get the tokens, etc, from the server. Eventually, the malware extension would get the encrypted vault, along with the password it has already gotten, and potentially a long-term “Remember me” 2FA token. This is a lot of hand-waving lacking the implementation/practical details, but there lies the nature of such discussion.
Unless Bitwarden server can precisely exclude “unauthentic” clients, I can see this working. I am still reading, but as far as I can tell, FIDO2 prevents authenticating to the wrong party based on the domain and prevents capturing authentication secret. Here, the extension malware can attempt to “phish” the password, retrieve the encrypted vault, potentially get a long-term “remember me” 2FA token, and upload the information if it has the permission. FIDO2 likely can’t be used as a guard against a mimicking malware.
Scary situation but one I’ve been anticipating for some time, given that there must be countless bad actors intent on getting access to online password manager vaults. This is just the next step for them.