Security flaw: Passwords exposed on hover after login in Edge extension #2406

Closed
opened 2025-11-07 07:42:35 -06:00 by GiteaMirror · 1 comment
Owner

Originally created by @xy14053156 on GitHub (Oct 19, 2025).

Prerequisites

Vaultwarden Support String

Summary

After logging into the Bitwarden Edge extension, simply hovering the mouse over the avatar icon automatically reveals the full password in plain text, without any additional authentication or interaction. This is a serious security flaw, especially on shared or public devices.

Steps to Reproduce

  1. Install Bitwarden extension on Microsoft Edge.
  2. Log in to the extension.
  3. Click the avatar icon (top right).
  4. Hover over the avatar again — password is shown in plain text without re-prompting for master password or PIN.

Expected Result

Passwords should never be shown without re-authentication (e.g., master password, PIN, or biometric).

Actual Result

Password is immediately visible on hover, no re-auth required.

Platform

  • OS: Windows 11
  • Browser: Microsoft Edge verision 141.0.3537.71
  • Bitwarden version: 2025.9.0. server version: 2025.4.0

Severity

High — This undermines the core security model of Bitwarden.

Suggestion

Always require re-authentication before revealing passwords, even if the extension is "unlocked".

Vaultwarden Build Version

1.34.1

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

nginx

Host/Server Operating System

Linux

Operating System Version

No response

Clients

Browser Extension

Client Version

Edge verision 141.0.3537.71 - Bitwarden version: 2025.9.0.

Steps To Reproduce

  1. Install Bitwarden extension on Microsoft Edge.
  2. Log in to the extension.
  3. Click the avatar icon (top right).
  4. Hover over the avatar again — password is shown in plain text without re-prompting for master password or PIN.

Expected Result

Passwords should never be shown without re-authentication (e.g., master password, PIN, or biometric).

Actual Result

Password is immediately visible on hover, no re-auth required.

Logs


Screenshots or Videos

No response

Additional Context

No response

Originally created by @xy14053156 on GitHub (Oct 19, 2025). ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Summary After logging into the Bitwarden Edge extension, simply hovering the mouse over the avatar icon **automatically reveals the full password in plain text**, without any additional authentication or interaction. This is a serious security flaw, especially on shared or public devices. ### Steps to Reproduce 1. Install Bitwarden extension on Microsoft Edge. 2. Log in to the extension. 3. Click the avatar icon (top right). 4. Hover over the avatar again — **password is shown in plain text** without re-prompting for master password or PIN. ### Expected Result Passwords should **never** be shown without re-authentication (e.g., master password, PIN, or biometric). ### Actual Result Password is **immediately visible on hover**, no re-auth required. ### Platform - OS: Windows 11 - Browser: Microsoft Edge verision 141.0.3537.71 - Bitwarden version: 2025.9.0. server version: 2025.4.0 ### Severity **High** — This undermines the core security model of Bitwarden. ### Suggestion Always require re-authentication before revealing passwords, even if the extension is "unlocked". ### Vaultwarden Build Version 1.34.1 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy nginx ### Host/Server Operating System Linux ### Operating System Version _No response_ ### Clients Browser Extension ### Client Version Edge verision 141.0.3537.71 - Bitwarden version: 2025.9.0. ### Steps To Reproduce 1. Install Bitwarden extension on Microsoft Edge. 2. Log in to the extension. 3. Click the avatar icon (top right). 4. Hover over the avatar again — **password is shown in plain text** without re-prompting for master password or PIN. ### Expected Result Passwords should **never** be shown without re-authentication (e.g., master password, PIN, or biometric). ### Actual Result Password is **immediately visible on hover**, no re-auth required. ### Logs ```text ``` ### Screenshots or Videos _No response_ ### Additional Context _No response_
GiteaMirror added the bug label 2025-11-07 07:42:35 -06:00
Author
Owner

@stefan0xC commented on GitHub (Oct 19, 2025):

Duplicate of https://github.com/dani-garcia/bw_web_builds/issues/219

While I am using Firefox and not Edge when I hover over the avatar it tells me the name of my account so you probably have entered the password as name when signing up. You can change the name in the web-vault under Settings -> My account (/#/settings/account).

@stefan0xC commented on GitHub (Oct 19, 2025): Duplicate of https://github.com/dani-garcia/bw_web_builds/issues/219 While I am using Firefox and not Edge when I hover over the avatar it tells me the **name** of my account so you probably have entered the password as name when signing up. You can change the name in the web-vault under Settings -> My account (`/#/settings/account`).
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#2406