Security through obscurity with Bitwarden

I never thought I’ll write something negative about Bitwarden. I love it. It’s an incredible password manager, and I even created envwarden: a small open-source wrapper to handle server secrets with Bitwarden.

But I recently bumped into a small issue that looks like Security through obscurity to me. And I thought it was odd for a security-focused product.

The issue was that I couldn’t export the items in my company’s vault. Even though I had access to the cards [1].

I contacted Bitwarden about it, and they said that:

An Organization user cannot export the Organization’s Vault without being an Admin or Owner.

After trying to understand why, since I did have access to cards in my organization, so why couldn’t I export them? I was told:

We do not allow people to export the Organization Vault unless they are an Admin simply because this has been requested by demand from our customers. Being able to dump all passwords in one quick action is different than having to access every one individually to copy them out.

I explained that this seems like Security through obscurity, since I had vault access, and also it’s trivial to dump all passwords using the Bitwarden CLI anyway.

I asked them if it’s ok to publish this, and they were OK with it. I even asked if I can post a small script that would let you do it, using the Bitwarden CLI, and they didn’t seem to mind.

So here’s a super-simple “How to” recipe, in case you want to dump all your accessible cards using the CLI in an import-friendly format:

# you need to have the Bitwarden CLI installed. See https://help.bitwarden.com/article/cli/#download--install
$ bw login
# copy your session id and use it below
$ bw list items --session <your session id> | awk '/a/ {print "{\"items\": " $0 "}";}' > /path/to/export.json

That’s it. You can now import the export.json file as a Bitwarden json.

To be fair, it’s a tiny issue really. I think it’s obvious that if people have access to passwords, they can always find ways to dump/copy them. But adding an artificial hurdle doesn’t really add much security. Perhaps the more accurate term is Security Theater rather than Security through obscurity here. I’m not entirely sure.


[1] To be clear, I wasn’t trying to siphon off my company’s secrets. I have full Admin access and can export everything. I was testing out a way to use the bitwarden cli export functionality from a non-privileged account and bumped into this.

Leave a Reply

Your email address will not be published. Required fields are marked *