If a vault is exported unencrypted (.json or .csv) in Firefox, Firefox creates a temporary file of that unencrypted vault to the hard disk. Considering the sensitivity of an unencrypted vault and the difficulty/impossibility of deleting data from a hard disk, this presents a very concerning security hole that needs to be brought up to the community and addressed.
The issue was found by a reddit user. Firefox has implemented a system where, in the duration that it’s asking for a save destination by the user, it is slowly already downloading the file to a temporary location on the hard disk. This is more related to Firefox than Bitwarden necessarily, but by allowing it Bitwarden does expose a security hole to its users unknowingly as it affects vault exports.
Steps to replicate:
Note: Use a test account, not your actual vault
- Navigate to Firefox Settings → Options → Files and Applications → Downloads → ensure that “Always ask you where to save files” is filled in
- Access your vault via Firefox extension or Bitwarden webvault
- Choose either of the unencrypted vault export options (.csv or .json)
- Note the prompt popping up asking you for a save location, but do not choose a location
- Navigate to
- Sort your folder by Date Modified and find the
*.part.txtfile that was created
- Open this file in Notepad and see the contents of your unencrypted vault
Why this is concerning:
While this is a Firefox issue, many users may not be aware that they are exposing their unencrypted vault while exporting. Even with a secure hard disk wipe, because of the nature of SSD’s it may be impossible to truly delete data from them leaving a compromised hard disk vulnerable unless it has full disk encryption enabled.
How to prevent this:
Users should only export via the desktop application and directly to a secure container (AES 256 rar/zip, Veracrypt container, Cryptomator vault). Bitwarden should display a prompt warning users of this issue if they attempt to export their vault via the webvault or extension if they are using Firefox. Alternatively if a user is adamant on exporting via the Firefox browser, it would appear for now that setting “Downloads” to a specific location rather than “Always ask you where to save files” circumvents the creation of a temporary file.
As discussed pretty extensively, the existing encrypted json export feature in Bitwarden is not a complete backup solution in its current form as it is tied to the vault’s encryption key and therefore should not be used as a true backup. I’m not attacking the devs here, during vault hours it was mentioned that the current encrypted export feature is the first in many steps towards a true encrypted export solution.
Some questions that require further research:
- If other browsers (Chrome, Safari, Edge) are susceptible to this and if/where they create temporary files
- If chromium specifically is susceptible to this then would it also affect the chromium/Electron based Bitwarden desktop application
- How long this temporary file is saved on the hard disk before it is deleted by the software (albeit most likely not in a secure way)
- Where exactly the temporary file is saved on macOS or Linux
- If Firefox plans to provide the option to disable the creation of a temporary file while it prompts users for a save location