Chrome extension bypasses 2fa ?! #1011

New Issue

Closed

opened 2026-02-04 23:37:08 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2026-02-04 23:37:08 +03:00

Owner

Copy Link

Originally created by @H4R0 on GitHub (Apr 14, 2021).

Subject of the issue

Chrome Bitwarden extension is not asking for 2fa method on login anymore.

This started 2 days ago after I upgraded to bitwardenrs/server:latest

The Desktop Client as well as the Web Vault is asking for 2fa method.

How can 2fa even be bypassed ?! The Extension is LOGGED OUT not LOCKED !

• bitwarden_rs version: https://hub.docker.com/layers/bitwardenrs/server/latest/images/sha256-20dfe5e0abf10febf01510a8a97a639372b933bfcb215b6a3a46fc09246b5f77

• Install method: Docker

• Clients used: https://chrome.google.com/webstore/detail/nngceckbapebfimnlniiiahkandclblb

Steps to reproduce

Setup 2fa with email or anything else and login using the chrome extension.

Expected behaviour

Client should ask for 2fa

Actual behaviour

Client logs in without asking for 2fa

Troubleshooting data

The container log differs for both logins.

Chrome Extension not asking for 2fa:

[2021-04-14 15:37:44.171][request][INFO] POST /api/accounts/prelogin
[2021-04-14 15:37:44.183][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
[2021-04-14 15:37:44.252][request][INFO] POST /identity/connect/token
[2021-04-14 15:37:44.378][bitwarden_rs::api::identity][INFO] User user@example.org logged in successfully. IP: 192.168.1.xxx
[2021-04-14 15:37:44.379][response][INFO] POST /identity/connect/token (login) => 200 OK
[2021-04-14 15:37:44.435][request][INFO] GET /api/sync
[2021-04-14 15:37:44.484][response][INFO] GET /api/sync?<data..> (sync) => 200 OK
[2021-04-14 15:37:44.492][parity_ws::io][INFO] Accepted a new tcp connection from 192.168.1.xxx:56006.

Desktop Client asking for 2fa:

[2021-04-14 15:38:11.099][request][INFO] POST /api/accounts/prelogin
[2021-04-14 15:38:11.101][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
[2021-04-14 15:38:11.178][request][INFO] POST /identity/connect/token
[2021-04-14 15:38:11.269][error][ERROR] 2FA token not provided
[2021-04-14 15:38:11.269][response][INFO] POST /identity/connect/token (login) => 400 Bad Request
[2021-04-14 15:38:11.330][request][INFO] POST /api/two-factor/send-email-login
[2021-04-14 15:38:11.692][response][INFO] POST /api/two-factor/send-email-login (send_email_login) => 200 OK

Originally created by @H4R0 on GitHub (Apr 14, 2021). ### Subject of the issue Chrome Bitwarden extension is not asking for 2fa method on login anymore. This started 2 days ago after I upgraded to bitwardenrs/server:latest The Desktop Client as well as the Web Vault is asking for 2fa method. How can 2fa even be bypassed ?! The Extension is LOGGED OUT not LOCKED ! * bitwarden_rs version: https://hub.docker.com/layers/bitwardenrs/server/latest/images/sha256-20dfe5e0abf10febf01510a8a97a639372b933bfcb215b6a3a46fc09246b5f77 * Install method: Docker * Clients used: https://chrome.google.com/webstore/detail/nngceckbapebfimnlniiiahkandclblb ### Steps to reproduce Setup 2fa with email or anything else and login using the chrome extension. ### Expected behaviour Client should ask for 2fa ### Actual behaviour Client logs in without asking for 2fa ### Troubleshooting data The container log differs for both logins. Chrome Extension not asking for 2fa: > [2021-04-14 15:37:44.171][request][INFO] POST /api/accounts/prelogin [2021-04-14 15:37:44.183][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK [2021-04-14 15:37:44.252][request][INFO] POST /identity/connect/token [2021-04-14 15:37:44.378][bitwarden_rs::api::identity][INFO] User user@example.org logged in successfully. IP: 192.168.1.xxx [2021-04-14 15:37:44.379][response][INFO] POST /identity/connect/token (login) => 200 OK [2021-04-14 15:37:44.435][request][INFO] GET /api/sync [2021-04-14 15:37:44.484][response][INFO] GET /api/sync?<data..> (sync) => 200 OK [2021-04-14 15:37:44.492][parity_ws::io][INFO] Accepted a new tcp connection from 192.168.1.xxx:56006. Desktop Client asking for 2fa: > [2021-04-14 15:38:11.099][request][INFO] POST /api/accounts/prelogin [2021-04-14 15:38:11.101][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK [2021-04-14 15:38:11.178][request][INFO] POST /identity/connect/token [2021-04-14 15:38:11.269][error][ERROR] 2FA token not provided [2021-04-14 15:38:11.269][response][INFO] POST /identity/connect/token (login) => 400 Bad Request [2021-04-14 15:38:11.330][request][INFO] POST /api/two-factor/send-email-login [2021-04-14 15:38:11.692][response][INFO] POST /api/two-factor/send-email-login (send_email_login) => 200 OK

OVERLORD closed this issue 2026-02-04 23:37:09 +03:00

OVERLORD commented 2026-02-04 23:37:16 +03:00

Author

Owner

Copy Link

@jjlin commented on GitHub (Apr 14, 2021):

You probably enabled Remember me; see https://bitwarden.com/help/article/twostep-faqs/#q-why-is-bitwarden-not-asking-for-my-enabled-two-step-login-method.

@jjlin commented on GitHub (Apr 14, 2021): You probably enabled `Remember me`; see https://bitwarden.com/help/article/twostep-faqs/#q-why-is-bitwarden-not-asking-for-my-enabled-two-step-login-method.

OVERLORD commented 2026-02-04 23:37:23 +03:00

Author

Owner

Copy Link

@H4R0 commented on GitHub (Apr 14, 2021):

Thanks a lot, must have clicked it by accident.

Settings → My Account -> Deauthorize Sessions

@H4R0 commented on GitHub (Apr 14, 2021): Thanks a lot, must have clicked it by accident. Settings → My Account -> Deauthorize Sessions

OVERLORD referenced this issue 2026-02-05 04:59:44 +03:00

[PR #1029] [MERGED] Multi-arch image support #2831

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1011