@dwbit For Issue 6: Icon URL Item Decryption, the report states that Bitwarden is considering the following mitigation: “Explicit hashes of icon URLs, set by the client, are being considered for development.”
I would like to make the Dev Team aware that there are three open Feature Requests that might provide alternative (or additional) pathways for defending against the type of attack described in Issue 6:
- Custom icons for vault items, folders and collections
- Allow disabling website icons globally
- Sync Bitwarden settings, like "Lock after X minutes" or PIN
All of these would give users the option to avoid troublesome icon fetch messages being generated in the first place.