Currently, the vault timeout action does not apply to the pop out window. But this makes no sense as the pop out window is still the vault, just a different way of interacting with the contents of the vault. Additionally, the pop out window appears to remain unlocked because it’s assumed “active” regardless if it’s in use or not. However, this is not a reasonable or safe assumption because it’s easily layered beneath other windows and can be neither active nor remembered as present resulting in a rather consistent and obvious security issue.
Since the word “vault” describes the contents, not the view, it is most reasonable to lock the pop out view by the same means as the extension view. However, if this is not viable or desirable for some reason, then the pop out should at least have its own locking mechanism.
What benefits will this feature bring?
Security, which I believe is one of Bitwarden’s main goals!
I agree. I left my computer for an hour or so, only to come back to bitwarden open. I would prefer it to automatically lock even when a window is open.
To protect your data is as simple as to lock your computer whenever you leave it.
And to get back into the system as easy, fast and comfortable as possible get a USB fingerprint sensor like this one:
Thanks for the follow up everyone, I’ll check in with the team and provide a follow up, but I think this is a browser related issue and if it is, we could do a better job at indicating this.
If I pop out a new window on the extension and forget to close it, the Bitwarden extension does not lock. This is easy to do, and you may not realize that you haven’t closed the pop-up, leaving your account exposed.
This help section explains the problem. “However, it’s important to note that when the browser extension is popped out, it will not adhere to your chosen vault timeout settings.”
Full help article:
The Bitwarden browser extension includes a pop-out feature that allows you to reposition the client while using your internet browser. To pop out the browser extension, you need to select the appropriate icon in the extension interface 3, 7. However, it’s important to note that when the browser extension is popped out, it will not adhere to your chosen vault timeout settings.
I see this action," not adhering to vault timeout settings," as a significant vulnerability.
I configured the Bitwarden extension for Firefox so that it auto-locks the vault after 1 min timeout. Usually this works fine. However, the following steps show a way where the extension does not respect this setting:
Unlock the vault in the Bitwarden extension for Firefox
In the upper right corner click “Pop out to a new window”
I can now access the vault in two ways: in the popped out window, and, by clicking on the Bitwarden extension icon in the Firefox tab bar. As long as the popped out window is not closed, the vault does not lock, neither in the popped out window, nor in the Firefox tab bar. When I do close the popped out window, the Bitwarden vault accessible in the Firefox tab bar locks soon thereafter.
This seems a security risk. In my case, the Bitwarden popped out window got burried under other windows, and only after a long time I discovered that my vault had been unlocked all that time.
I moved your post to a corresponding feature request. (you can vote on feature requests as soon as you reach the next “trust level” – just spend some time on the forum) – Just FYI the behaviour in question is documented in the Help Sites: Automatic Logout or Lock | Bitwarden
I’m rather shocked that this issue is already open since 2022. I wonder if the reason could be that it is presented as a feature request that is buried under all other requests, while it should be presented as a security issue and hence be treated with a much higher priority.
For now I will uninstall the Bitwarden Firefox extension.
Currently, the browser pop-out does not observe vault timeout, which is known, as it is written in the browser app introduction browser-pop-out.
This is of course a security flaw and should be solved in the one or other way: If one uses the pop-out window in an unsave environment (shared office, hotel lobby, restaurant, etc) and one gets inverted or the device is grabbed, then the vault stays open. Not everyone is aware of this unexpected behavior, and the right manual measures are not taken.
While the expected functionality seems to run into technical limitations, workarounds shall be taken to mitigate the risk:
Make an settings option to allow Pop-out window, which is off by default, with a warning message at activation.
Add a red warning banner to the popout that the timeout ist suspended
In addition the popout could have it’s own time limitation, if that is possible
@kriszzo, I moved your request to this existing request for the same thing. You might consider scrolling to the very top and clicking the “vote” button to add your vote!
Observed in Firefox extension. If an edit window is opened, it will block a configured timeout from triggering an automatic lock or logout. The danger is when the edit window is unnoticed by being under another window or minimized.
Ideally, an edit window should require active user interaction to block timeout. Pending changes should be cached or discarded.
Alternatively, an idle edit window should be more conspicuous. Display a notification or popping to front on idle timeout.
Can you please explain what you mean by an “edit window”? Are you editing an item in the standard pop-up window, then leaving the pop-up window open (which requires that you avoid clicking anywhere in your Firefox browser)? Or are you editing in the Firefox sidebar? Or are you using a floating pop-out window for editing?
That would be the only way it could have been hidden under my main Firefox window. I can’t recall the exact sequence that lead to opening that window because I didn’t even realize that was an option before.
I did reach out to support and they confirmed that this is currently the expected behavior. It was the support agent that suggested I post a thread here.
