"PII Disclosure" issue impact our root domain being marked as Deceptive Content #830

New Issue

Closed

opened 2025-10-09 16:53:14 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2025-10-09 16:53:14 +03:00

Owner

Copy Link

Originally created by @saggafarsyad on GitHub.

Subject of the issue

In url <BASE_URL>/app/main.3a27378a743dd4ad9f70.js contains Credit Card Number "4242424242424242" which contains Personally Identifiable Information, such as CC number, SSN and similar sensitive data.

We suspect that this alert is a false alarm because the hardcoded text is intended as example or placeholder. But this PII Disclosure issue impact our root domain being marked as Deceptive content by Google and all our websites within subdomain were marked as Dangerous.

Solution

We tried replace "4242424242424242" to "42424242xxxxxxxx" on compiled file /web-vault/app/main.3a27378a743dd4ad9f70.js, re-deploy and re-scan OWASP ZAP, then the issue is resolved.

Deployment environment

• vaultwarden version: 1.28.1

• Install method: Docker image

• Clients used: Web Vault, Chrome Extensions

• Reverse proxy and version: NGINX v1.24.0

• MySQL/MariaDB or PostgreSQL version: N/A

• Other relevant details: Web Vault Version 2023.3.0

Steps to reproduce

• Scan with OWASP ZAP

Expected behaviour

• No High Risk Alerts

Actual behaviour

• OWASP ZAP catch dummy Credit Card Number "4242424242424242" as PII Disclosure issue and marked as High Risk alert by OWASP ZAP scanner

Troubleshooting data

• Related code
  
• Related CWE: https://cwe.mitre.org/data/definitions/359.html
• OWASP ZAP Plugin: https://www.zaproxy.org/docs/alerts/10062/

Originally created by @saggafarsyad on GitHub. <!-- # ### NOTE: Please update to the latest version of vaultwarden before reporting an issue! This saves you and us a lot of time and troubleshooting. See: * https://github.com/dani-garcia/vaultwarden/issues/1180 * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image # ### --> <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### Subject of the issue In url <BASE_URL>/app/main.3a27378a743dd4ad9f70.js contains Credit Card Number "4242424242424242" which contains Personally Identifiable Information, such as CC number, SSN and similar sensitive data. We suspect that this alert is a false alarm because the hardcoded text is intended as example or placeholder. But this PII Disclosure issue impact our root domain being marked as Deceptive content by Google and all our websites within subdomain were marked as Dangerous. #### Solution We tried replace "4242424242424242" to "42424242xxxxxxxx" on compiled file `/web-vault/app/main.3a27378a743dd4ad9f70.js`, re-deploy and re-scan OWASP ZAP, then the issue is resolved. ### Deployment environment <!-- ========================================================================================= Preferably, use the `Generate Support String` button on the admin page's Diagnostics tab. That will auto-generate most of the info requested in this section. ========================================================================================= --> <!-- The version number, obtained from the logs (at startup) or the admin diagnostics page --> <!-- This is NOT the version number shown on the web vault, which is versioned separately from vaultwarden --> <!-- Remember to check if your issue exists on the latest version first! --> * vaultwarden version: 1.28.1 <!-- How the server was installed: Docker image, OS package, built from source, etc. --> * Install method: Docker image * Clients used: Web Vault, Chrome Extensions <!-- web vault, desktop, Android, iOS, etc. (if applicable) --> * Reverse proxy and version: NGINX v1.24.0 <!-- if applicable --> * MySQL/MariaDB or PostgreSQL version: N/A <!-- if applicable --> * Other relevant details: Web Vault Version 2023.3.0 ### Steps to reproduce * Scan with OWASP ZAP ### Expected behaviour <!-- Tell us what you expected to happen --> * No High Risk Alerts ### Actual behaviour <!-- Tell us what actually happened --> * OWASP ZAP catch dummy Credit Card Number "4242424242424242" as PII Disclosure issue and marked as High Risk alert by OWASP ZAP scanner ### Troubleshooting data <!-- Share any log files, screenshots, or other relevant troubleshooting data --> * Related code <img width="1644" alt="Screenshot 2023-05-02 at 11 42 43" src="https://user-images.githubusercontent.com/7218502/235574801-95494019-b219-4497-b883-79be9f8aae3f.png"> * Related CWE: https://cwe.mitre.org/data/definitions/359.html * OWASP ZAP Plugin: https://www.zaproxy.org/docs/alerts/10062/

OVERLORD closed this issue 2025-10-09 16:53:16 +03:00

OVERLORD commented 2025-10-09 16:53:17 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

This is not something we can fix for one. This code is part of the Bitwarden Clients repo https://github.com/search?q=repo%3Abitwarden%2Fclients%2042424242&type=code .

Second, that is a known test credit-card number. So i suggest to create a ticket at the detection library and report to let it exclude this and maybe other well knows test numbers.

@BlackDex commented on GitHub: This is not something we can fix for one. This code is part of the Bitwarden Clients repo https://github.com/search?q=repo%3Abitwarden%2Fclients%2042424242&type=code . Second, that is a known test credit-card number. So i suggest to create a ticket at the detection library and report to let it exclude this and maybe other well knows test numbers.

OVERLORD referenced this issue 2025-10-09 18:26:55 +03:00

[PR #831] [MERGED] SIGNUPS_ALLOWED with no whitelist [fixes #830] #3621

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#830