You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The attachment links for the items in Bitwarden vault are not secure. If you use the URL, it automatically downloads the encrypted file. This may not be a huge issue, considering the contents of the file being encrypted. This is a security issue and makes the attached contents susceptible to brute force attacks.
Steps to reproduce:
Login to BitWarden web with your credentials.
Create a new Login entry in either the My Vault page (for premium membership user), or under the vault for any organization (for a Families subscription user). You can use the name, for example, "Bitwarden Attachment Test".
Hover over the created item, and click on the Settings icon to launch a dropdown menu.
Click on Attachments option in the menu, this will launch a popup.
Click on Choose File_ to add any file from your local filesystem.
Click on Save to close the popup.
Now using the Bitwarden CLI, login and run the following command:
If you use this link via cURL or open it in a web browser, it will download an encrypted file on the disk.
Solution
A potential solution could be to use an Authentication layer for these static resources, so that these cdn URLs are protected. This will add additional security for the attachments.
I'm not sure if this behavior is by design, but just wanted to report it so it can be fixed.
The text was updated successfully, but these errors were encountered:
Thanks for the report @snvishna . This is currently by design since it was assumed that the URLs are not indexed and carry a CSPRNG-generated ID that is not easily guessable (as well as being encrypted blobs). However, as you suggested, we have been discussing adding an authentication layer in front of it.
There has been some work relevant to this in the past few months.
Attachments which are uploaded to the cloud server after our 2021-05-11 release, from clients which are up to date, are uploaded to a separate Azure storage container which is not publicly accessible. This means that we can give out SAS tokens to allow client to download attachments. The request for a download token requires authentication.
Also, note that this same security is used for all Bitwarden Send file links.
I'm going to close this issue since the original suggestion has been implemented.
Issue
The attachment links for the items in Bitwarden vault are not secure. If you use the URL, it automatically downloads the encrypted file. This may not be a huge issue, considering the contents of the file being encrypted. This is a security issue and makes the attached contents susceptible to brute force attacks.
Steps to reproduce:
Login to BitWarden web with your credentials.
Create a new Login entry in either the My Vault page (for premium membership user), or under the vault for any organization (for a Families subscription user). You can use the name, for example, "Bitwarden Attachment Test".
Hover over the created item, and click on the Settings icon to launch a dropdown menu.
Click on Attachments option in the menu, this will launch a popup.
Click on Choose File_ to add any file from your local filesystem.
Click on Save to close the popup.
Now using the Bitwarden CLI, login and run the following command:
You should see a link similar to https://cdn.bitwarden.net/attachments/$$$...
If you use this link via cURL or open it in a web browser, it will download an encrypted file on the disk.
Solution
A potential solution could be to use an Authentication layer for these static resources, so that these cdn URLs are protected. This will add additional security for the attachments.
I'm not sure if this behavior is by design, but just wanted to report it so it can be fixed.
The text was updated successfully, but these errors were encountered: