search

bitwarden / clients

Bitwarden client apps (web, browser extension, desktop, and cli).
https://bitwarden.com
Other
9.31k stars 1.25k forks source link

HTTP Basic authentication is being sent wrong by default #11250

Open LufoX11 opened 1 month ago

LufoX11 commented 1 month ago

Steps To Reproduce

It started happening in 2024.9.0 (I think) and is still happening in latest 2024.9.1.

After viewing my Apache logs it's sending by default my saved website login credentials rather than showing me the basic auth popup, assuming my stored password in vault is the basic auth password (and it's not).

Steps to reproduce the issue (Chrome):

  1. With the BW extension enabled, I open a new incognito window and I go to https://reinventatuvida.org/wp-login.php which has basic auth to access the real wp login page.
  2. I immediately receive a 401 Unauthorized error.
  3. I close the window, disable the BW extension and open a new incognito window with the same url.
  4. Basic auth popup is shown.

Apache logs in step 2:

[Wed Sep 25 18:08:55.996972 2024] [auth_basic:error] [pid 2021] [client 2800:40:76:e11:7877:33c6:20c5:2ae5:60530] AH01618: user shamank not found: /wp-login.php

"shamank" is my website login username stored in my BW vault, not the one I need to put in the basic auth popup (which is "mario"). So what's happening I think is that BW extension is somehow sending my stored username and password in vault by default as my basic auth credentials.

Take a look:

Grabación de pantalla desde 25-09-24 19:13:58.webm

The workaround is to put the right login credentials for basic auth directly in the url like: https://mario:blablabla@reinventatuvida.org/wp-login.php

Expected Result

The basic auth popup to be shown, asking for username and password.

Actual Result

The basic auth popup is not shown, with the default message of wrong credentials (401).

Screenshots or Videos

Grabación de pantalla desde 25-09-24 19:13:58.webm

Additional Context

No response

Operating System

Linux

Operating System Version

Ubuntu 22.04.4 LTS

Web Browser

Chrome

Browser Version

Versión 129.0.6668.70 (Build oficial) (64 bits)

Build Version

2024.9.1

Issue Tracking Info

sammbw commented 1 month ago

Hi there,

I am unable to reproduce this issue, it has been escalated for further investigation. If you have more information that can help us, please add it below.

Thanks!

LufoX11 commented 1 month ago

After reading the docs I think this might be a "feature" functionality, which I see like this:

image

I mean, most websites implementing basic auth are just securing areas and it's not intended to provide secure access to a website with a user login system or user sessions. SO, assuming that if you only have a single password for a website it should be for the basic auth bareer is a serious mistake. I have several websites in several webservers. All of them have specific areas protected with basic auth to avoid common bots or automated attacks, mainly to login systems. So the same basic auth user and pass is shared among lots of websites/domains, and behind that all of them have their own user login systems to access their sensitive user data. I can't go duplicating and saving the same user/pass for basic auth for every website I manage just to have 2 passwords and avoid BW to try to autofill basic auth credentials and messing up login. It makes no sense. I regret upgrading the extension some days ago. It was perfect before.

At least give me a setting to avoid this behaviour of trying to autofill basic auth PLEASE.

Thanks