attacker gets access to code supply chain of an extension you use, (adblock? grammerly? clipper?) Another way is some idiot just buying the extension as an investment, and just bungling the security of hosting and compiling the code
when you are signing into a site, the intermittently rogue extension swaps its icon to the bitwarden icon and puts bitwarden into the extensions tray. Because you are looking at the password field of a website, you don’t notice this. It only takes less than a second. Store app scanning doesn’t catch this. Ultimately, there is no way to tell if any of your extensions are secure, because at a minimum every maintaining dev who’s compiling those binaries needs perfect security. So, every extension is an attack surface.
you are prompted for your bitwarden password, but it’s actually the other extension that is impersonating bitwarden and you haven’t been logged out.
you can also be prompted for your 2FA; google authenticator, app prompt, yubikey etc. Does any 2FA even make any difference?
Are there any ways Ways to improve Bitwarden against this or ways to use bitwarden more securely?
Show the fingerprint phrase on every login with screenshots disabled. Rolling fingerprint phrases?
Don’t use the laptop for logging in. Use the phone?
Bigger idea: try to put everything server side, using a phone to authenticate logins?
edit:
User advice in the short term: Uninstall any extension that isn’t essential. Use a separate account?
I think using “Login with Device” and “Unlock with Biometrics” might make it possible to spot swapping. A fake Bitwarden extension wouldn’t have the “familiar device” token for Login with Device. If someone usually unlocks their vault with Biometrics and suddenly finds themselves logged out, they might start investigating. Was there an update? No? Hmm…
2FA here probably doesn’t make any difference at all; the fake Bitwarden extension would just imitate whatever the real extension does to get the password and the encrypted vault.
My understanding is that using a Yubikey as 2FA would not be susceptible to a phishing or Attacker-in-the-Middle scheme.
Do not allow other extensions to be active other than Bitwarden’s extension. A simple way to accomplish this is to allow only Bitwarden’s extension to be used in Incognito/Private mode, and then use only Incognito/Private mode if you need to access credentials from Bitwarden.
susceptible to a phishing or Attacker-in-the-Middle scheme
Is the Attacker-in-the-Middle that FIDO2 usually protects against just a website pretending to be the real one? In that case, the protocol would stop you from logging in to the wrong domain. But what happens if a malware extension perfectly copies the Bitwarden authentication process and connects to the Bitwarden server, just like the legit extension does? How does the protocol protect against interacting with the wrong client on the same machine, authenticating with the correct domain?
I admit this is a bit outside my expertise, but I’m having trouble envisioning how this could be made to work.
If a rogue extension acts as an AitM, it would certainly be able to collect the victim’s username/password, and could then forward those credentials to a legitimate Bitwarden client (running on the attacker’s hardware), to attempt to get access to the account. However, the legitimate client would then open the webpage https://vault.bitwarden.com/#/2fa, which would be the relying party for the FIDO2 authentication ceremony. If the rogue extension attempts to serve https://vault.bitwarden.com/#/2fa page, I doubt that it will successfully be able to complete the authentication ceremony. A simple experiment shows that launching the https://vault.bitwarden.com/#/2fa page out of context will just redirect to https://vault.bitwarden.com/#/login. So the legitimate client must be passing some data with the GET request, allowing the server to recognize the request as part of a valid login attempt. Add to that the fact that if the FIDO2 authentication ceremony is completed (on the victim’s device), presumably creating some kind of token that can be submitted to the server, then that token must be transferrable to the attacker’s computer in order for the AitM scheme to succeed.
I would need some convincing that this process could be spoofed.
I envision how this would work differently. Right now, somebody potentially can write a legitimate alternative Bitwarden extension that can access user’s vault in lieu of Bitwarden extension, right? So, the alternative extension needs to authenticate the user and download the vault just as a Bitwarden extension would. It’s possible for another extension to authenticate the user using FIDO2 as 2FA and download the encrypted vault.
So, in the context of the polymorphic extension malware, it authenticates the user to the real Bitwarden server as a newly installed Bitwarden extension would. It passes the server all the info that the server requires, including the email and some hashes, and when the server asks for 2FA, it does the same thing as the real extension does, using the web browser as the FIDO2 client (by opening another tab, etc.), the FIDO2 key as the authenticator, and Bitwarden server as the relying party, and does whatever the real extension does to get the tokens, etc, from the server. Eventually, the malware extension would get the encrypted vault, along with the password it has already gotten, and potentially a long-term “Remember me” 2FA token. This is a lot of hand-waving lacking the implementation/practical details, but there lies the nature of such discussion.
Unless Bitwarden server can precisely exclude “unauthentic” clients, I can see this working. I am still reading, but as far as I can tell, FIDO2 prevents authenticating to the wrong party based on the domain and prevents capturing authentication secret. Here, the extension malware can attempt to “phish” the password, retrieve the encrypted vault, potentially get a long-term “remember me” 2FA token, and upload the information if it has the permission. FIDO2 likely can’t be used as a guard against a mimicking malware.
Scary situation but one I’ve been anticipating for some time, given that there must be countless bad actors intent on getting access to online password manager vaults. This is just the next step for them.
I wanted to edit the OP with the 2 solutions suggested:
Use Bitwarden elsewhere and copy and paste, such as only allowing the extension in incognito mode
and
Never login with a password. Always “Login with device” and have the fingerprint phrase memorised. The polymorphic attack then needs to spy on the fingerprint phrase. This is also possible, but hopefully less likely.
#1 is better, but I don’t know how to automate getting the credentials into the clipboard other than going back to copy and pasting hell. Unless anyone has any smart ideas about speeding that up, even if it’s just speeding it up a little bit
The “finger-print” phrases in “Login with Device” varies from one login to another. Your account’s finger-print phrase probably aren’t used beyond emergency access and organization’s identification.
Thanks Neuron. Then it sounds like the whole browser extension is too much of a risk.
I’m going to try to plan out a way to get passwords from phone to laptop as quickly as possible. Something like a clipboard sync, but finding the site also needs to be sped up.
How could something like that be designed securely, but very quick to use?
The system clipboard is readable by any process running on your devices (and is routinely inspected be various processes). Trading the browser extension for a clipboard-based solution is a cure that is significantly worse than the disease.
I certainly cannot evaluate other people’s subjective risk, but I think there are other mitigations/considerations that can be done before going the copy-and-paste route, which @grb has already mentioned would increase the risk with clipboard monitoring, but would also eliminate URL matching / phishing resistance.
This is still POC. Because it requires compromising developers’ accounts, maybe it would not become popular.
Use fewer and more reputable extensions.
Isolate the environment that you use Bitwarden. Some people here uses BW only in incognito mode with very limited numbers of extensions.
Use a less-likely-to-be-targeted-first browsers like Firefox.
I view my BW vault as being breachable, especially from supply-chain-attack (like this one) and my own ignorance/greed/stress. I feel it puts less stress on me to protect the vault at all cost.
Got it. Thanks for pointing that out about copy and pasting, but isn’t it better to risk a clipboard attack on a single site than risking the entire vault?
Perhaps clipboard risk could be reduced by passing info to an extension via Native Messaging? For example, pass the currently viewed tab on to the Bitwarden app (cli / phone / desktop), so that the site readily available in the app, at least.
@Neuron5569 , #3 In practice, what this might look like could be to have 2 password managers: one for sites that are less important, and another for high consequence, like email.
So you might use Bitwarden for 3000 common sites, but delete off (salting?) any password high risk and move that over to something on a phone.
But the practicalities of this are pretty big questions. How are you going to update thousands of site passwords? How are you going to salt the passwords at scale? How are you going to find which sites are important?
Here’s what I did:
exported the vault
deleted all but the site URL fields
Pasted this into chatGPT and asked it to identify which sites are priority to secure.
ChatGPT could only list 10 sites at maximum. It identified email sites, tax and other sites, but it was capped at 10. All those sites are 2FA secured.
#2 Yes of course, and I don’t think many people really appreciate this!
#1 and #4: I hope so, but better not to hope. Better to have solutions. I don’t really see Incognito as a solution; it’s basically saying to use Bitwarden less. To expand on that approach, we could only use Bitwarden for username form filling, get it to fill some of the password, and then type the rest in manually (salting). This is more of a compromise, so not good for comparing to the Incognito approach. I’d like to see a more direct comparison of the Incognito / minimalist approach
“I view my BW vault as being breachable”
So you are typing in some passwords manually and not using Bitwarden?
For me, as a BW user, this post is disturbing! My take on your comments, there is no way of knowing if the extension is actually BW; it has me questioning whether to continue to use it. I have blindly trusted and felt secure logging in with a recommended passphrase (random generated) and 2FA Yubikey, but now it seems even that might not be secure!
Here’s part of the problem. This is the extension login after rebooting. It shows the email section (lower yellow box), and then it has a small box in the upper right. That upper box has 2 letters related to the username in some way.
There’s no option to use a device to login.
There’s nothing to identify the window.
There’s no secure output, such as a notification on your phone.
