Warm users about access key leakage in access logs

[rwjack]

Not really a bug, but I think the docs should provide info about this: https://github.com/bitwarden/clients/issues/4290

I just saw that from v1.29.0, WSS is enabled by default, which means all access tokens and encrypted data is being stored in plaintext in reverse proxy access logs, unless the proxy is configured to filter out such requests.

[BlackDex]

Which documentation are you referring to? If it is the wiki, then go ahead and add this warning 😄.

Also, i do hope that your reverse proxy can't decrypt the encrypted data and stores that unencrypted somewhere. Not sure what you mean with that specific part. All data is encrypted by the clients and send encrypted over the wire. Those values are never added as GET parameters and thus should not end up in your logs.

[rwjack]

I cannot confirm what data is being sent, but something is definitely being sent as a GET request, so some parameters get saved in the access logs.

Here's an example:

/notifications/hub?access_token=[this part is always the same].eyJuYmYi[redacted]sImV4cCI6MTcxNzc1NzQ1OCwiaXN[redacted]M6Ly92YXVsdC5zZWMuYXJwYXxsb2dpbiIsInN1YiI6ImY5YmVhN[redacted]tNGJjNS05MDY2LTQ3NjFlZmY4ND[redacted]sInByZW1pdW0iOnRydWU[redacted]JjaXBoZXIiLCJlbWFpbCI6ImNpc[redacted]ljdSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJzc3RhbXAiOiJlZjM3[redacted]MjctODE2OS1hZTQ3NmFjNDc4MGQiLCJkZX[redacted]02ZTk3LTQ2N2M[redacted]jM3NmEiLCJzY29wZSI6WyJhcG[redacted]5lX2FjY2VzcyJdLCJhbXIiOlsiQXBwbGljY[redacted]hGDeCNdjTs1cOL2fV_OR96Sey-gA5eRa8OCGNgCrDeyYAPyk[redacted]BkQGwjEhD7fcWILxRYqQ7W6rkC2o[redacted]LB_nztpAgeRUbsPgsd3RNTWJDKdlH8aMf1[redacted]vB_doENJPeyaeMuEG85KqpAN2A[redacted]GeeCztxmQIe21PMtBG-SAgGeI[redacted]X_9mmyv0nISHBuHjhQ_km[redacted]VCLoFneb-MEzN[redacted]T8VcXSKhGXpwJUx8j1[redacted]k_nH27vrD2Dg

[BlackDex]

As mentioned, that is only the JWT for the websocket connection indeed. But no other data is ever send via that way, thus no other data, encrypted or unencrypted is ever send over the wire as a GET request.

Only uuid's and are send as part the the path, and maybe timestamps, but that is about it.

Unfortunately there is no other way for the websockets, as the clients do not seem to support any other way then via get parameters.

Also, if some has access to your JWT, that doesn't make them able to decrypt your passwords. So, there isn't any real risk here.

And, the person who has access to those logs can then probably also make adjustments to your reverse proxy and manipulate the web-vault in such a way that it might leak your password, so that would be more of a risk then leaking the JWT I think.

[BlackDex]

Also, as this is more of a documentation item and not an issue with Vaultwarden on the server side, ill move this to a discussion.