Restrict users to export only personal secrets

Currently, the export data tool exports all secrets, even if the user is not the owner of a specific secret.
Example: An organisation shares one or many secrets to a user. Currently, if this user runs “tools => export secrets”, bitwarden will export all his personal secrets, as well as all non-owned secrets shared by the organisation.

This is not good from a security perspective, as it makes it very easy for a user, to grab all passwords from an organisation and store it in some place.
Furthermore it is also not good from a practical perspective, because this user cannot export only his private secrets without the orgs password.

This is the only reason that we cannot use BitWarden within our Enterprise. Having reviewed the product recently it ticked all the boxes until we discovered this flaw.
We have a history of users storing spreadsheets of password on their local laptops etc and if these are lost/stolen this is a huge security risk. Also there is the worry of users moving to a competitor company and being able to see everything we do.

Why do people do this? It seems like more work to open a spreadsheet and look for the password and then copy it, then to let the plugin auto fill it for you.

This is what the feature is like…

Sure, it will prevent someone who doesn’t stray from the path… but any password you share with them should be assumed to be held by them forever.

If someone leaves the organization, you should change EVERY PASSWORD YOU SHARED WITH THEM.

Adding such a feature is a low priority.

1 Like

What dabura667 says is correct in so far as it goes. However, in any system where people can access information you don’t allow a user to dump the whole database! It’s not just deliberate abuse, how about the user who thinks “it would be really useful to have this info when I am working from home”. Next thing you’ve got an unencrypted copy of all your passwords sitting on someone’s home PC, or even better, on their laptop that they leave on a train.

It really should be possible to disable export export for users and for me it would be be essential for deploying it in a business.

I would also suggest an audit facility that logged every access to a shared password.

2 Likes

Technically that’s true. And, yes, you should change every password they have had access to when they leave.

Practically, however, people are lazy when it comes to malicious activity (I say this as someone who has tracked down plenty of it). The percentage of people who will actually engage in the effort to manually copy out a set of passwords is pretty small. And on the flip side, most admin staffs are insanely overworked and a massive password change project will probably not happen as rapidly as it should. So while you’re absolutely correct in the sense that it can be worked around, its a lot more hassle than your image implies (at least for nontrivial implementations) and the reality is that it has some efficacy in many situations.

I would like to see this as well. But rather as an usability feature: A user might want to backup personal secrets only and is not interested in any shared items.

1 Like

I was also surprised to find this was possible.

I totally agree. We did this for some time but changing passwords (especially for employees that have been with you for a long time or admins) this takes a huge amount of time. To add to this list: a malicious user could be deterred if they had to export passwors one-by-one instead of just dumping the entire database.

1 Like