[GH-ISSUE #1608] Chrome extension bypasses 2fa ?! #1015

New issue

Closed

opened 2026-03-03 02:05:33 +03:00 by kerem · 2 comments

kerem commented 2026-03-03 02:05:33 +03:00

Owner

Copy link

Originally created by @H4R0 on GitHub (Apr 14, 2021).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1608

Subject of the issue

Chrome Bitwarden extension is not asking for 2fa method on login anymore.

This started 2 days ago after I upgraded to bitwardenrs/server:latest

The Desktop Client as well as the Web Vault is asking for 2fa method.

How can 2fa even be bypassed ?! The Extension is LOGGED OUT not LOCKED !

• bitwarden_rs version: https://hub.docker.com/layers/bitwardenrs/server/latest/images/sha256-20dfe5e0abf10febf01510a8a97a639372b933bfcb215b6a3a46fc09246b5f77

• Install method: Docker

• Clients used: https://chrome.google.com/webstore/detail/nngceckbapebfimnlniiiahkandclblb

Steps to reproduce

Setup 2fa with email or anything else and login using the chrome extension.

Expected behaviour

Client should ask for 2fa

Actual behaviour

Client logs in without asking for 2fa

Troubleshooting data

The container log differs for both logins.

Chrome Extension not asking for 2fa:

[2021-04-14 15:37:44.171][request][INFO] POST /api/accounts/prelogin
[2021-04-14 15:37:44.183][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
[2021-04-14 15:37:44.252][request][INFO] POST /identity/connect/token
[2021-04-14 15:37:44.378][bitwarden_rs::api::identity][INFO] User user@example.org logged in successfully. IP: 192.168.1.xxx
[2021-04-14 15:37:44.379][response][INFO] POST /identity/connect/token (login) => 200 OK
[2021-04-14 15:37:44.435][request][INFO] GET /api/sync
[2021-04-14 15:37:44.484][response][INFO] GET /api/sync?<data..> (sync) => 200 OK
[2021-04-14 15:37:44.492][parity_ws::io][INFO] Accepted a new tcp connection from 192.168.1.xxx:56006.

Desktop Client asking for 2fa:

[2021-04-14 15:38:11.099][request][INFO] POST /api/accounts/prelogin
[2021-04-14 15:38:11.101][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
[2021-04-14 15:38:11.178][request][INFO] POST /identity/connect/token
[2021-04-14 15:38:11.269][error][ERROR] 2FA token not provided
[2021-04-14 15:38:11.269][response][INFO] POST /identity/connect/token (login) => 400 Bad Request
[2021-04-14 15:38:11.330][request][INFO] POST /api/two-factor/send-email-login
[2021-04-14 15:38:11.692][response][INFO] POST /api/two-factor/send-email-login (send_email_login) => 200 OK

Originally created by @H4R0 on GitHub (Apr 14, 2021). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1608 ### Subject of the issue Chrome Bitwarden extension is not asking for 2fa method on login anymore. This started 2 days ago after I upgraded to bitwardenrs/server:latest The Desktop Client as well as the Web Vault is asking for 2fa method. How can 2fa even be bypassed ?! The Extension is LOGGED OUT not LOCKED ! * bitwarden_rs version: https://hub.docker.com/layers/bitwardenrs/server/latest/images/sha256-20dfe5e0abf10febf01510a8a97a639372b933bfcb215b6a3a46fc09246b5f77 * Install method: Docker * Clients used: https://chrome.google.com/webstore/detail/nngceckbapebfimnlniiiahkandclblb ### Steps to reproduce Setup 2fa with email or anything else and login using the chrome extension. ### Expected behaviour Client should ask for 2fa ### Actual behaviour Client logs in without asking for 2fa ### Troubleshooting data The container log differs for both logins. Chrome Extension not asking for 2fa: > [2021-04-14 15:37:44.171][request][INFO] POST /api/accounts/prelogin [2021-04-14 15:37:44.183][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK [2021-04-14 15:37:44.252][request][INFO] POST /identity/connect/token [2021-04-14 15:37:44.378][bitwarden_rs::api::identity][INFO] User user@example.org logged in successfully. IP: 192.168.1.xxx [2021-04-14 15:37:44.379][response][INFO] POST /identity/connect/token (login) => 200 OK [2021-04-14 15:37:44.435][request][INFO] GET /api/sync [2021-04-14 15:37:44.484][response][INFO] GET /api/sync?<data..> (sync) => 200 OK [2021-04-14 15:37:44.492][parity_ws::io][INFO] Accepted a new tcp connection from 192.168.1.xxx:56006. Desktop Client asking for 2fa: > [2021-04-14 15:38:11.099][request][INFO] POST /api/accounts/prelogin [2021-04-14 15:38:11.101][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK [2021-04-14 15:38:11.178][request][INFO] POST /identity/connect/token [2021-04-14 15:38:11.269][error][ERROR] 2FA token not provided [2021-04-14 15:38:11.269][response][INFO] POST /identity/connect/token (login) => 400 Bad Request [2021-04-14 15:38:11.330][request][INFO] POST /api/two-factor/send-email-login [2021-04-14 15:38:11.692][response][INFO] POST /api/two-factor/send-email-login (send_email_login) => 200 OK

kerem closed this issue 2026-03-03 02:05:33 +03:00

kerem commented 2026-03-03 02:05:34 +03:00

Author

Owner

Copy link

@jjlin commented on GitHub (Apr 14, 2021):

You probably enabled Remember me; see https://bitwarden.com/help/article/twostep-faqs/#q-why-is-bitwarden-not-asking-for-my-enabled-two-step-login-method.

<!-- gh-comment-id:819765311 --> @jjlin commented on GitHub (Apr 14, 2021): You probably enabled `Remember me`; see https://bitwarden.com/help/article/twostep-faqs/#q-why-is-bitwarden-not-asking-for-my-enabled-two-step-login-method.

kerem commented 2026-03-03 02:05:34 +03:00

Author

Owner

Copy link

@H4R0 commented on GitHub (Apr 14, 2021):

Thanks a lot, must have clicked it by accident.

Settings → My Account -> Deauthorize Sessions

<!-- gh-comment-id:819768483 --> @H4R0 commented on GitHub (Apr 14, 2021): Thanks a lot, must have clicked it by accident. Settings → My Account -> Deauthorize Sessions

kerem referenced this issue 2026-03-03 09:08:40 +03:00

[PR #1020] [MERGED] Fixed wrong status if there is an update. #2862

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#1015

No description provided.