grb
July 20, 2022, 7:07pm
12
Thanks for escalating this. To clarify for other readers, the “Github issue” mentioned by dwbit refers to an issue different from the two raised in my post above — the referenced issue is related to the failure of the Chrome extension to purge the local vault when logging out, and is documented here:
opened 11:44PM - 15 Jul 22 UTC
bug
browser
### Steps To Reproduce
1. Log into vault using Chrome extension
2. Log out o… f vault on Chrome extension
3. Exit Chrome
4. Navigate to %LocalAppData%\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
5. Open the most recent *.log file using Notepad
6. Optionally, use Edit/Find to search for terms such as "keyHash", "email", "login", "password", etc.
### Expected Result
If the user has logged out, the vault should be expunged from persistent storage. [Bitwarden documentation](https://bitwarden.com/help/vault-timeout/#vault-timeout-action) makes the claim: **"Logging out of your vault completely removes all vault data from your device."**
Thus, the *.log file (which contains vault data for the Chrome extension) should be deleted, or contain only a skeleton template structure with non-existent entries for "email", "keyHash", "login", "password", etc., or (at worst) empty values for all fields that hold secret/sensitive information.
### Actual Result
The stored *.log file contains one or more copies of the encrypted vault, which persists even after logging out of the vault, exiting Chrome, and rebooting the computer, By scanning through the file, or by using search terms such as those suggested above, the full contents of the vault are revealed, including the email account in plaintext, the hashed version of the Master Key, as well as encrypted cipher strings containing all secrets. In effect, there appears to be no practical security difference between the locked state and the logged out state.
### Screenshots or Videos
_No response_
### Additional Context
The vault data can be easily be exfiltrated by anybody who has physical access to the computer for a short time, whether the computer is on or off. Using copied values of the fields "email", "kdfIterations", and "keyHash", the master password can be brute-forced if it is sufficiently weak, which would then allow a bad actor to access the web vault. Whether such a threat model is widely applicable or not, users have the expectation that decrypted vault data is removed from persistent storage upon logout; this expectation is not met for the Chrome extension. I have not tested other browser extensions.
### Operating System
Windows
### Operating System Version
Windows 10
### Web Browser
Chrome
### Browser Version
Version 103.0.5060.114
### Build Version
2022.6.1
I will return in the near future with documentation of the claimed memory vulnerabilities (a preview of which I’ve shared with dwbit in Direct Message).