Found the bug:
https://github.com/bitwarden/mobile/blob/e6...orwarder.cs#L23

requestMessage.Version = new Version(1, 0);

Just change to Version(2, 0) and its done!

Also here:
https://github.com/bitwarden/mobile/blob/e6...iService.cs#L91

And here:
https://github.com/bitwarden/mobile/blob/e6...dService.cs#L46

This post has been edited by kwss: Dec 18 2023, 09:59 AM

Well, ya, and this app kind of failed the testing.
Because to bypass the pinned cert of app, you just choose https://vault.bitwarden.eu as server, then MiTM can happen.

Which means, if you trust the privacy of EU, and put your data on EU server, then it just becoming less secured than the defaulted US server...

Also how strangely https://vault.bitwarden.eu safe/excluded from this Cloudflare DDoS protection....

Why the hell still got people using this kind of app, lol!!!

lol.
Still, they need to solve the cert pin issues for EU customer, by default they are not cert pin protected.
---
So, any comment for why they put it as 1, 0?
Let me see the commit history.

My understanding is cert pin is not required / impossible to implement
1. Self hosting is impossible
2. Not required because the security is dependent on master password, which is done client side. Supposedly mitm won't reveal any secret

Yes, then why the cert pin for bitwarden.com, but not for bitwarden.eu.

Or maybe it is not a cert pin la, as error is:
Exception message: java.securitycert.Cert.PathValidatorException: Trust anchor for certification path not found.

Anyways, during MiTM, .com is not allowed and the error above shown, but .eu allowed, which just, inconsistent...
Still can be a bug for the MiTM app la, as I just lazy to use httpcanary which seem like paid app, stop updated and taken down by Google.
---
Yes, as long as Master Password is implemented correctly, then yes, MiTM don't works.

Still, our mission done, let the bitwarden + TM customer fix their own issues la.
I guess those selected bitwarden.eu customer are happy, as they are excluded from this DDoS protection, as minority of customer.
---
For me, another lesson learned, job done, sleep~

This post has been edited by BenYeeHua: Dec 18 2023, 10:06 AM

The same shit can hit .eu user anytime. It's still behind cloudflare.
Ya we close case for this one.
Best thing for bitwarden user to remember: Beware of the platform kicking you out

Secondly, why the hell you gonna use cloudflare as CDn for the app, while not supporting the DDoS part, lol.

Based on the data I captured using MiTM, they did supported cookies, which means that by showing the WebView to load the DDoS protection page, the customer can tick the verification part as human, then the app can using back the cookies to passing the protection normally.

Anyways, I hope bitwarden customer are seeking another better platform, as it gonna fall easy.

PS: Reminded me that old history, 10 years ago, when Osu! using a custom HTTP protocol that communicate via Cloudflare CDN, and they are prove with saving huge cost with it, lol.

This post has been edited by BenYeeHua: Dec 18 2023, 10:15 AM

I briefly look at it, seems not so straightforward. For a start, https://vault.bitwarden.com/api/config is just a plain GET request. But they did:
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT

This open themselves to DoS attack. They should have enable caching, even a mere 1 minute would allow Cloudflare to absorb all the attack, including Layer 7 attack.

Then I look at https://developers.cloudflare.com/turnstile/
Not sure how they want to do it. Reason is for the endpoint, cloudflare immediately respond:
HTTP/1.1 403 Forbidden

I suspect only with known browser string they will respond the full Turnstile page.

After looking at all this, my opinion is they should just enable caching, disable the captcha and let cloudflare take the hit.

Well, I guess it is normally they don't understand this kind of stuff, and lazy to.

Like I know a private forum which set as 45 days of caching js file, which u know, a lot method to invalidate cached file, like 1.hash.js, even clicking the flush cache in cloudflare's dashboard also count, which just taken 1 mins.

But the developer just reply me, lazy la, it is not interesting feature, so trouble, let it be....
Then after 45 days of desync/outdated js version, finally cache expired, bug fixed, lol.

Within this 45 days, a lot of repeated bug report being created, and server get DDoS by the outdated js.file by check-in repeatly, well...

And yes, now it is set as 15 days caching, and after 2 years, the private forum is, well, nearly dead now.

So, there will be more and more issues like this gonna happen in the future, as rapid development is the future, leaving bank system still running as cobol wlll not be the worst one...
---
Yes, solution is out there, with google, but, 99% of person don't know how to google properly, what's you saw is just SEO result, so...
Not gonna put a lot of hope on everything already....

Just, nah, doing my own best la...

No wonder la. On wifi I cannot login to bitwarden. Panic already. Then switch to data can. At first I thought it was my adguard DNS. then remove already still the same.

Refer to the picture and suggestions.

30mbps vdsl and already fibre infra since Saturday

Tm troll me? Or putar halim so kuat.

Complain them for misleading or ?

Free speed not end December meh ?






This post has been edited by cse.my: Dec 18 2023, 05:26 PM

as at 4th October, you were not entitled.
That's all there is to it.
Right from start, TnC already listed criteria for eligibility.
Yes, maybe some fallen through the crack.
Still does not mean you are entitled.

My understanding is you are already using VDSL. TM then upgrade your infra to full fiber. Is that correct?

What the portal says when you login? Did it says you are eligible?
What was your VDSL package?
What is your current package?

If you did not change the package then you are 100% eligible for 100mbps, unless you are using Rahmah package.

Maybe you shop around if your area have others like Time or City Broadband.
Else just recontract 100mbps for RM79 if you don't mind.

This post has been edited by kwss: Dec 18 2023, 06:09 PM

Correct me if my understanding is wrong.

Your package is not listed in the exclusion list per TnC.
Also per TnC you did not change package after 4 October.

My understanding is you are legally entitled to speed upgrade. Also what kind is fiber cannot support 100mbps? Yours is new fiber somemore.

Login to your account at unifi.my.
Click your package, did it says you are eligible for upgrade?

Did you do a speedtest? Maybe your are already upgraded

So funny, new fiber infra sumore

This post has been edited by cse.my: Dec 18 2023, 06:57 PM

Well, I don't have any other suggestions other than file a complain to TM, then follow by MCMC

Then why tm send me WhatsApp and call me to confirm and verify at NOVEMBER.

Nothing do? Waste my time to reach kpi lol?

Ya thanks.
I also think so.

Thanks kwss and BenYeeHua, finally got time to check this thread.
I replied a summary of this issue to the customer support email, I don't think it will be fixed anytime soon depending on the person forward to their devs or not.

Anyhow there's no way to fix this myself unless I build the app with the fixed code right (I don't want to).

Should I continue using my new bitwarden.eu account or just switch to 1Password...