Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Attachments are not secure #703

Closed
snvishna opened this issue Apr 19, 2020 · 2 comments
Closed

[Security] Attachments are not secure #703

snvishna opened this issue Apr 19, 2020 · 2 comments

Comments

@snvishna
Copy link

Issue

The attachment links for the items in Bitwarden vault are not secure. If you use the URL, it automatically downloads the encrypted file. This may not be a huge issue, considering the contents of the file being encrypted. This is a security issue and makes the attached contents susceptible to brute force attacks.

Steps to reproduce:

  • Login to BitWarden web with your credentials.

  • Create a new Login entry in either the My Vault page (for premium membership user), or under the vault for any organization (for a Families subscription user). You can use the name, for example, "Bitwarden Attachment Test".

  • Hover over the created item, and click on the Settings icon to launch a dropdown menu.

  • Click on Attachments option in the menu, this will launch a popup.

  • Click on Choose File_ to add any file from your local filesystem.

  • Click on Save to close the popup.

Now using the Bitwarden CLI, login and run the following command:

bw list items | jq -Cr '.[] | select(.name == "Bitwarden Attachment Test").attachments[].url'

You should see a link similar to https://cdn.bitwarden.net/attachments/$$$...

If you use this link via cURL or open it in a web browser, it will download an encrypted file on the disk.

Solution

A potential solution could be to use an Authentication layer for these static resources, so that these cdn URLs are protected. This will add additional security for the attachments.

I'm not sure if this behavior is by design, but just wanted to report it so it can be fixed.

@kspearrin
Copy link
Member

kspearrin commented Apr 20, 2020

Thanks for the report @snvishna . This is currently by design since it was assumed that the URLs are not indexed and carry a CSPRNG-generated ID that is not easily guessable (as well as being encrypted blobs). However, as you suggested, we have been discussing adding an authentication layer in front of it.

@MGibson1
Copy link
Member

There has been some work relevant to this in the past few months.

Attachments which are uploaded to the cloud server after our 2021-05-11 release, from clients which are up to date, are uploaded to a separate Azure storage container which is not publicly accessible. This means that we can give out SAS tokens to allow client to download attachments. The request for a download token requires authentication.

Also, note that this same security is used for all Bitwarden Send file links.

I'm going to close this issue since the original suggestion has been implemented.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants