Potential Privacy Issue with Favicon Caching (/icons endpoint)?

Ask the Community Password Manager
, ,
1

Hi everyone,

I’d like to report a potential privacy concern related to how Vaultwarden handles favicon caching.

Vaultwarden automatically fetches and stores website icons when users interact with login entries. These icons are then served via predictable URLs like:

/icons/<domain>/icon.png

In a multi-user environment, this may introduce a privacy issue.

What happens

If you directly request an icon URL:

  • When the icon already exists, it is returned immediately

  • When the icon does not exist, the request takes noticeably longer (~10 seconds)

This difference in response time can be used to infer whether a specific domain has been accessed by any user on the instance.

Example

https://vault.example.com/icons/www.risorsainformatica.com/icon.png

By measuring response times, it’s possible to determine if that domain is present in the cache.

Why this matters

In shared Vaultwarden instances, this could allow users to:

  • Infer which websites other users have accessed

  • Identify usage of potentially sensitive services (internal tools, admin panels, etc.)

Notes

This is not a critical vulnerability, but rather a privacy-related side-channel that might be relevant in:

  • Team environments

  • Self-hosted shared instances

Possible improvements

Some ideas that might mitigate this:

  • Normalize response times for cached/non-cached icons

  • Restrict access to the /icons endpoint

  • Optionally disable favicon caching

  • Scope caching per user

I’m sharing this to get feedback from the community and understand if this is expected behavior or something worth addressing.

Thanks!

3

@Michele_Genito Welcome to the Bitwarden Community Forum!

It seems, you are using an unofficial server software, which is not supported by Bitwarden, as it is an independent product. From time to time, there will be compatibility issues between the official Bitwarden client apps (browser extension, mobile app, desktop app…) and an unofficial server product, when Bitwarden implements changes to its own server software and/or client apps. “…Bitwarden cannot guarantee that official clients will work perfectly with non-official servers.”

(Also due to this - and for other reasons - we recommend using the official Bitwarden server software.)

It is generally not possible for members of the Bitwarden community (users or developers) to help with such issues - and with issues of the unofficial server itself. Please seek support in their community spaces.

If you can replicate your issue on an official Bitwarden server, feel free to open a new thread here.