Description
Issue
The attachment links for the items in Bitwarden vault are not secure. If you use the URL, it automatically downloads the encrypted file. This may not be a huge issue, considering the contents of the file being encrypted. This is a security issue and makes the attached contents susceptible to brute force attacks.
Steps to reproduce:
-
Login to BitWarden web with your credentials.
-
Create a new Login entry in either the My Vault page (for premium membership user), or under the vault for any organization (for a Families subscription user). You can use the name, for example, "Bitwarden Attachment Test".
-
Hover over the created item, and click on the Settings icon to launch a dropdown menu.
-
Click on Attachments option in the menu, this will launch a popup.
-
Click on Choose File_ to add any file from your local filesystem.
-
Click on Save to close the popup.
Now using the Bitwarden CLI, login and run the following command:
bw list items | jq -Cr '.[] | select(.name == "Bitwarden Attachment Test").attachments[].url'You should see a link similar to https://cdn.bitwarden.net/attachments/$$$...
If you use this link via cURL or open it in a web browser, it will download an encrypted file on the disk.
Solution
A potential solution could be to use an Authentication layer for these static resources, so that these cdn URLs are protected. This will add additional security for the attachments.
I'm not sure if this behavior is by design, but just wanted to report it so it can be fixed.