Bitwarden Firefox extension leaks user unique internal UUID to websites

ruihildt commented 1 week ago

Steps To Reproduce

Go to 'passkeys.io'
Open the browser developer tools
In the Inspector tab, search for moz-extension
The highlighted element contains the bitwarden extension unique internal UUID through the fido2-page-script.js script loading

Expected Result

Bitwarden extension Internal UUID shouldn't be leaked to random websites visited by users.

Internal UUID is unique per install, which means any page integrating passkey can use this ID to uniquely fingerprint users.

Actual Result

The Bitwarden extension UUID is visible to any website integrating passkey and can be used as a unique fingerprint.

Screenshots or Videos

Additional Context

No response

Operating System

Linux

Operating System Version

No response

Web Browser

Firefox

Browser Version

No response

Build Version

2024.10.1

Issue Tracking Info

[X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

bitwarden-bot commented 1 week ago

Thank you for reporting this issue! We've added this to our internal tracking system. ID: PM-14541

randshell commented 1 week ago

I wanted to report this issue initially, but, after skimming through the issues, I gathered that this behavior is intended. https://github.com/bitwarden/clients/issues/7080#issuecomment-1838239454

I see it the same way as @ruihildt and @Thorin-Oakenpants. Whether it is intended or not, it creates a real privacy problem by providing an easy way to identify users.

ruihildt commented 6 days ago

I have no idea why in this context the code can't be loaded as a content script (which would not be leaking the internal UUID), but if the webextension can't do what they need, a bug should be opened with Firefox.

Thorin-Oakenpants commented 6 days ago

a bug should be opened with Firefox

it's been known for years: see bugzillas 1372288,1405971,1717671,1717672

Ideally it should never be leaked, or even a per-session UUID as suggested upstream. I'm not an extension dev, and I don't use bitwarden or know it's UX/user-flow .. but if passkeys is the actual cause, is it not feasible to have this disabled on all sites (hardcoded, no option to globally enable), and the user must add a per site exception to allow it

cagonzalezcs commented 5 days ago

Chiming in here @justindbaur, migration of the Firefox and Safari browser extensions to MV3 will help with this issue though it won't completely resolve the problem either.

That UUID is the Bitwarden web extension ID, which can be used to fingerprint user activity in certain ways...

That UUID is used when linking any browser extension resources, such as content scripts, css, or iframe content. Bitwarden uses it for injecting the fido2-page-script.ts into the main context of the web page.

Manifest v2 specifically has issues with leveraging the WebAuthn API to use facilitate the passkeys feature in a "non-isolated" content script context. Mv3 introduces the "Execution World" option to the browser.scripting API.

https://developer.chrome.com/docs/extensions/reference/api/scripting#type-ExecutionWorld

The inline menu is a bit of a different story though. Anything that shows UI elements will always need to load that content within iframe windows to allow the page to be isolated from the top level frame of the website. Those iframes will always have a src feature that can be queried in the DOM after injection. Just worth keeping that in mind.

bitwarden / clients