Replies: 2 comments 4 replies
-
Your described expected behavior is not the way it works. Unless something is going to change on the client side we can't redirect or put any authenticating on this at the server side. There is no easy solution to block access to the icon endpoint for authenticated clients only. |
Beta Was this translation helpful? Give feedback.
-
Regarding the other points. Checking if you have adult sites in your vault would be difficult. You would need to know the time difference between a cached item or non-cached/expired-cached icon to really tell if that is the case. And then only if it takes a long time to retrieve it from the site it self. There are security risks of course. You could enumerate a private ip range if you want to check the servers local environment. But by default private ip ranges are blocked from icon fetching on the server side. There are maybe some nifty tricks you can do with some reverse proxy software, to only allow IP x if there has been a 200 response for URL Y. But the clients do not always login or sync the vault, but could still try to fetch icons because the vault is cached locally. So it will be tricky to really create something which is failsafe. |
Beta Was this translation helpful? Give feedback.
-
Subject of the issue
I would assume that the /icons endpoint of vaultwarden also requires user authentication. Currently, any external user is able to query the endpoint and identify valid icons without being authenticated to the webvault. This may allow someone to enumerate vault url entries or sites that have been stored. One can disable the icon download, but it is kinda handy as for visual aspects.
I don't know whether this is an issue at all. Not a security one from my perspective, but might introduce some privacy concerns if remote people can enumerate whether a vault has some adult or illegal sites stored. What do you think?
Deployment environment
Vaultwarden runs as Docker container on my RPi4 (ARM). Deployed within portainer and compose file. Exposed via an nginx reverse proxy.
vaultwarden version: Version 1.23.0
Install method: Portainer Docker Compose
Clients used: Any client with access to the web vault (http protocol)
Steps to reproduce
Browse your webvault and try an icon path like
/icons/www.google.de/icon.png
. Choose a domain or url that you know is stored within the vault. If the icon successfully loads, the vault has likely stored that url and downloaded the icon of the website. If a blank icon occurs, the url might not be stored, does not have an icon or the icon download feature has been disabled.Expected behaviour
The web vault should redirect to the login area and require authentication to display the icons.
Actual behaviour
The web vault responds with the requested image icon if available or defaults to a blank icon. No authentication required.
Beta Was this translation helpful? Give feedback.
All reactions