This is a good opportunity to inform folks about the Public Suffix List[1]. In short, there is no algorithmic way to know how far up a subdomain is controlled by a single entity. For example ".org", ".co.uk", and ".cloudfront.com" are all public suffixes where subdomains under them are controlled by different entities. Mozilla created[2] the public suffix list to document these regions of control. If you write any software that gives subdomains the same privilege as the base domain, you should (at a minimum) check this list and verify that the subdomain is not known to be controlled by a different party. If you share a domain across multiple entities, you should add your domain to the public suffix list. I don't know if bitwarden uses PSL or not.<p>I learned about this from gorhill who is very diligent about appling this in uMatrix, etc[3].<p>[1]<a href="https://publicsuffix.org/" rel="nofollow">https://publicsuffix.org/</a><p>[2]<a href="https://wiki.mozilla.org/Public_Suffix_List" rel="nofollow">https://wiki.mozilla.org/Public_Suffix_List</a><p>[3]<a href="https://github.com/gorhill/uMatrix/issues/264" rel="nofollow">https://github.com/gorhill/uMatrix/issues/264</a>
Looks like user error. The domain matching needs to be set if you don’t want it to work on sub domains. The fact Bitwarden does this by default is a wonderful feature. So I don’t consider it leaking. Besides if you don’t trust a sub domain you shouldn’t trust the root domain.
Looks like this is a fix to this posted 30 minutes ago<p><a href="https://github.com/bitwarden/browser/pull/1397" rel="nofollow">https://github.com/bitwarden/browser/pull/1397</a>
I think there could be a bug here, but not what the title suggests...<p>Domain matching is configurable per login, and default also configurable. The default-default is fine (better compatibility). But if people disagree then re-configure the default then deal with the consequences/breakages.<p>The bug here seems to be auto-completing with auto-fill disabled. That's a bug, and a security bug I'd argue.<p>PS - Them tagging the bug "enhancement" is also quite wrong. Leaking credentials with auto-fill off is clearly broken at the most basic levels, even if splitting the auto-fill checkbox into two is an "enhancement."
What am I missing here? Why is Bitwarden sending any data on its own at all?<p>I thought Bitwarden only fills login details in a form when I click on it.<p>What else is it doing that I am unaware of?
I'm using Bitwarden and all of my passwords are long, complex, and unique. Am I at risk? I understand that this is not good, but if my passwords are unique then the only thing that can happen is losing the credentials to the one account that got leaked, right? I don't think my bank's website has an unsecure subdomain that I have to worry about. Should I remove Bitwarden from my browser until this is fixed?
I keep the domain match rule as "Starts from" in the global setting not because of this (and I realized it was a good choice more now) but because BitWarden automatically sends basic auth if there is only one match, meaning you never get any prompt to begin with, which is handy but having the default "Base domain" can make the match broader and asks me for basic auth and since an extension can't fill that space probably due to browser extension API, I have to copy / paste which is very tedious.
I’ve noticed the too-broad matching behavior in the past myself. Password for <production>-admin.okta.com will auto fill for <development>-admin.okta.com, for instance. I also turn off auto fill for this reason.<p>I think the default matching behavior should be changed, and the handling of HTTP Basic Auth should be changed to conform to it.
If you scroll down, it appears that Bitwarden sends BasicAuth passwords in the clear over HTTP. This is a huge security hole, far bigger than the subdomain one.
Sounds like a bug with autocomplete disabled, but I don’t see this as a security issue.<p>What is the risk with using Bitwarden in this circumstance? That I trust one server of the company but not the other and therefore a bad actor now has my creds?
So is the TL;DR by default bitwarden sends basic auth (always, even if 'autofill' is off, because of limitations of the webextension API) to other subdomains (up to the public suffix), people don't like this because they use broken sites that aren't on the PSL list but are effectively public suffixes, and so bitwarden is changing the default to only send basic auth to strict hostname matches?<p>This seems like kind of a nothingburger security wise to me.