Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The vault.bitwarden.com website exposes the access_token in the notification's web socket request #3650

Closed
1 task done
l1ttps opened this issue Jan 6, 2024 · 1 comment
Closed
1 task done

The vault.bitwarden.com website exposes the access_token in the notification's web socket request #3650

l1ttps opened this issue Jan 6, 2024 · 1 comment
Labels
bug

Comments

@l1ttps
Copy link

l1ttps commented Jan 6, 2024
edited
Loading

Steps To Reproduce

  1. Go to 'vault.bitwarden.com'
  2. Open developer console
  3. Open Network
  4. View detail wss://notifications.bitwarden.com/hub?access_token=eyJhbGciOiJSUzI1NiIsImt in ws request
  5. Copy JWT token from URL as search query
  6. Paste jwt.io
  7. View full profile in payload token of user

Expected Result

Use another way to transmit the access_token to the server

Actual Result

Token leak

Screenshots or Videos

image
image

Additional Context

No response

Build Version

Web https://vault.bitwarden.com/

Environment

Cloud (bitwarden.com)

Environment Details

No response

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
@l1ttps l1ttps added the bug label Jan 6, 2024
@l1ttps l1ttps closed this as completed Jan 8, 2024
@ainola
Copy link

ainola commented Jan 21, 2024

Hi, @l1ttps, thanks for working on this. Is there an associated PR or some other work we can look at since this is marked as "completed"?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@l1ttps @ainola