Bitwarden Firefox extension leaks user unique internal UUID to websites #11875
Comments
|
Thank you for reporting this issue! We've added this to our internal tracking system. |
|
I wanted to report this issue initially, but, after skimming through the issues, I gathered that this behavior is intended. #7080 (comment) I see it the same way as @ruihildt and @Thorin-Oakenpants. Whether it is intended or not, it creates a real privacy problem by providing an easy way to identify users. |
|
I have no idea why in this context the code can't be loaded as a content script (which would not be leaking the internal UUID), but if the webextension can't do what they need, a bug should be opened with Firefox. |
it's been known for years: see bugzillas 1372288,1405971,1717671,1717672 Ideally it should never be leaked, or even a per-session UUID as suggested upstream. I'm not an extension dev, and I don't use bitwarden or know it's UX/user-flow .. but if passkeys is the actual cause, is it not feasible to have this disabled on all sites (hardcoded, no option to globally enable), and the user must add a per site exception to allow it |
|
Chiming in here @justindbaur, migration of the Firefox and Safari browser extensions to MV3 will help with this issue though it won't completely resolve the problem either. That UUID is the Bitwarden web extension ID, which can be used to fingerprint user activity in certain ways... That UUID is used when linking any browser extension resources, such as content scripts, css, or iframe content. Bitwarden uses it for injecting the Manifest v2 specifically has issues with leveraging the WebAuthn API to use facilitate the passkeys feature in a "non-isolated" content script context. Mv3 introduces the "Execution World" option to the https://developer.chrome.com/docs/extensions/reference/api/scripting#type-ExecutionWorld The inline menu is a bit of a different story though. Anything that shows UI elements will always need to load that content within |
|
Hi @cagonzalezcs, thanks for the detailed explanation! It's interesting that this is specifically a limitation of Manifest v2. It would explain why on Chrome, as far as I've seen, Bitwarden doesn't add such UUID or a script tag at all. Since Firefox added support for Manifest v3 too a few months ago, it's good to know this issue could get a fix. As for the inline menu, it is clearly a mean of fingerprinting as well, but I don't think it's much of a problem. It is known that installing any extension, especially in browsers like Tor Browser and Mullvad Browser, would make the user stand out more compared to others. The main problem to me is with inserting the extension's UUID as you browse, which instead can uniquely identify you even across browser sessions, IP addresses, or when using a private browsing window (if Bitwarden is enabled for that). At the moment, the workaround to avoid this UUID issue would be to disable Passkey support manually, which can be done by going to |
|
Yes, the new Your suggested workaround is a solid temporary solution. Additionally, you can use any Chromium-based browser with Bitwarden. Browsers like Brave and Opera should already support the Manifest V3 version of Bitwarden. The only exception is Microsoft Edge, which still appears to rely on Manifest V2. |
Steps To Reproduce
moz-extensionfido2-page-script.jsscript loadingExpected Result
Bitwarden extension Internal UUID shouldn't be leaked to random websites visited by users.
Internal UUID is unique per install, which means any page integrating passkey can use this ID to uniquely fingerprint users.
Actual Result
The Bitwarden extension UUID is visible to any website integrating passkey and can be used as a unique fingerprint.
Screenshots or Videos
Additional Context
No response
Operating System
Linux
Operating System Version
No response
Web Browser
Firefox
Browser Version
No response
Build Version
2024.10.1
Issue Tracking Info
The text was updated successfully, but these errors were encountered: