[Security] When exporting your unencrypted vault via Firefox (webvault or extension) an unencrypted temporary text file of your vault is saved to your hard disk in a different location

Issue:
If a vault is exported unencrypted (.json or .csv) in Firefox, Firefox creates a temporary file of that unencrypted vault to the hard disk. Considering the sensitivity of an unencrypted vault and the difficulty/impossibility of deleting data from a hard disk, this presents a very concerning security hole that needs to be brought up to the community and addressed.

Background:
The issue was found by a reddit user. Firefox has implemented a system where, in the duration that it’s asking for a save destination by the user, it is slowly already downloading the file to a temporary location on the hard disk. This is more related to Firefox than Bitwarden necessarily, but by allowing it Bitwarden does expose a security hole to its users unknowingly as it affects vault exports.

Steps to replicate:
Note: Use a test account, not your actual vault

  1. Navigate to Firefox Settings → Options → Files and Applications → Downloads → ensure that “Always ask you where to save files” is filled in
  2. Access your vault via Firefox extension or Bitwarden webvault
  3. Choose either of the unencrypted vault export options (.csv or .json)
  4. Note the prompt popping up asking you for a save location, but do not choose a location
  5. Navigate to C:\Users\[UserID]\AppData\Local\Temp
  6. Sort your folder by Date Modified and find the *.part or *.part.txt file that was created
  7. Open this file in Notepad and see the contents of your unencrypted vault

Why this is concerning:
While this is a Firefox issue, many users may not be aware that they are exposing their unencrypted vault while exporting. Even with a secure hard disk wipe, because of the nature of SSD’s it may be impossible to truly delete data from them leaving a compromised hard disk vulnerable unless it has full disk encryption enabled.

How to prevent this:
Users should only export via the desktop application and directly to a secure container (AES 256 rar/zip, Veracrypt container, Cryptomator vault). Bitwarden should display a prompt warning users of this issue if they attempt to export their vault via the webvault or extension if they are using Firefox. Alternatively if a user is adamant on exporting via the Firefox browser, it would appear for now that setting “Downloads” to a specific location rather than “Always ask you where to save files” circumvents the creation of a temporary file.

As discussed pretty extensively, the existing encrypted json export feature in Bitwarden is not a complete backup solution in its current form as it is tied to the vault’s encryption key and therefore should not be used as a true backup. I’m not attacking the devs here, during vault hours it was mentioned that the current encrypted export feature is the first in many steps towards a true encrypted export solution.

Unanswered questions:
Some questions that require further research:

  • If other browsers (Chrome, Safari, Edge) are susceptible to this and if/where they create temporary files
  • If chromium specifically is susceptible to this then would it also affect the chromium/Electron based Bitwarden desktop application
  • How long this temporary file is saved on the hard disk before it is deleted by the software (albeit most likely not in a secure way)
  • Where exactly the temporary file is saved on macOS or Linux
  • If Firefox plans to provide the option to disable the creation of a temporary file while it prompts users for a save location

Further reading:

2 Likes

Many of those points are to do with Firefox rather than Bitwarden. To what extent should Bitwarden detect the poor programming of browser suppliers and warn people about it?

With regard to the export, this is an argument for having encrypted drives. That is standard in many operating systems, other than Microsoft’s efforts where it is optional. I would certainly encourage people to do this if they use Windows. There is also an advantage in using hard drives rather then solid state ones, as deletion can be made more likely.

It looks like this won’t be fixed any time soon unfortunately. Maybe Bitwarden could offer an option to (symmetrically) encrypt the JSON dump with GPG in the future? A separate password chosen by the user could be used for the encryption before the download happens. Or it could even be done asymmetrically with a public key for advanced users.
This is what I tend to do for my backups of the vault.

Hi radman -
You’re on the right track with ideas for improvement, but in the meantime, I think you can accomplish a safe and usable backup of your BW vault by using a different browser to export a .json file (unencrypted) to a place that only you specify (Chrome, for example, doesn’t create any hidden temp files). Then use KeePass2 to import that .json file into a KeePass vault that you’ve given your own (separate) master key to secure. The KeePass vault is a single file which is easily copied to whatever backup medium you desire. And, you get the bonus of being able to open it and use it if needed, or just retrieve one lost/old password without having to clobber your production BitWarden vault by restoring an entire exported BW vault.

KeePass2 for Windows natively imports BitWarden .json files, and BitWarden natively imports .xml files exported from KeePass, so moving data-sets back and forth is pretty easy.

1 Like

Firefox is fine to use IF you tell it to directly download the imported file directly into a virtual drive. Use a separate instance/profile where you DEFINE the FF download location to ALWAYS go to e.g. VeraCrypt drive #6, etc… Then simply close VeraCrypt #6 in this example and you are good to go without “temp” tracks at all. For sooooooooooo many other reasons FF is far superior to Chrome where privacy is concerned. My .02

Sounds like a very reasonable backup strategy, I wasn’t aware Keepass is compatible with BW vault dumps. Thanks a lot!

Thank you OpSec. I have no quibble that FF offers many security benefits over Chrome, but I do find that there are sometimes “gotchas” in FF that one has to overcome. Thanks for your suggestion to use a separate profile. I always prefer to have a browser ask me where a downloaded file is to go, so never tried this.