Currently, the vault timeout action does not apply to the pop out window. But this makes no sense as the pop out window is still the vault, just a different way of interacting with the contents of the vault. Additionally, the pop out window appears to remain unlocked because it’s assumed “active” regardless if it’s in use or not. However, this is not a reasonable or safe assumption because it’s easily layered beneath other windows and can be neither active nor remembered as present resulting in a rather consistent and obvious security issue.
Since the word “vault” describes the contents, not the view, it is most reasonable to lock the pop out view by the same means as the extension view. However, if this is not viable or desirable for some reason, then the pop out should at least have its own locking mechanism.
What benefits will this feature bring?
Security, which I believe is one of Bitwarden’s main goals!
I agree. I left my computer for an hour or so, only to come back to bitwarden open. I would prefer it to automatically lock even when a window is open.
To protect your data is as simple as to lock your computer whenever you leave it.
And to get back into the system as easy, fast and comfortable as possible get a USB fingerprint sensor like this one:
Thanks for the follow up everyone, I’ll check in with the team and provide a follow up, but I think this is a browser related issue and if it is, we could do a better job at indicating this.
If I pop out a new window on the extension and forget to close it, the Bitwarden extension does not lock. This is easy to do, and you may not realize that you haven’t closed the pop-up, leaving your account exposed.
This help section explains the problem. “However, it’s important to note that when the browser extension is popped out, it will not adhere to your chosen vault timeout settings.”
Full help article:
The Bitwarden browser extension includes a pop-out feature that allows you to reposition the client while using your internet browser. To pop out the browser extension, you need to select the appropriate icon in the extension interface 3, 7. However, it’s important to note that when the browser extension is popped out, it will not adhere to your chosen vault timeout settings.
I see this action," not adhering to vault timeout settings," as a significant vulnerability.
I configured the Bitwarden extension for Firefox so that it auto-locks the vault after 1 min timeout. Usually this works fine. However, the following steps show a way where the extension does not respect this setting:
Unlock the vault in the Bitwarden extension for Firefox
In the upper right corner click “Pop out to a new window”
I can now access the vault in two ways: in the popped out window, and, by clicking on the Bitwarden extension icon in the Firefox tab bar. As long as the popped out window is not closed, the vault does not lock, neither in the popped out window, nor in the Firefox tab bar. When I do close the popped out window, the Bitwarden vault accessible in the Firefox tab bar locks soon thereafter.
This seems a security risk. In my case, the Bitwarden popped out window got burried under other windows, and only after a long time I discovered that my vault had been unlocked all that time.
I moved your post to a corresponding feature request. (you can vote on feature requests as soon as you reach the next “trust level” – just spend some time on the forum) – Just FYI the behaviour in question is documented in the Help Sites: Automatic Logout or Lock | Bitwarden
I’m rather shocked that this issue is already open since 2022. I wonder if the reason could be that it is presented as a feature request that is buried under all other requests, while it should be presented as a security issue and hence be treated with a much higher priority.
For now I will uninstall the Bitwarden Firefox extension.
