The "Login with Device" feature for Bitwarden on both Google Chrome and Firefox is reporting a different fingerprint from the one that shows up on the device that validates them.
Bitwarden provides a feature where you can use a second device to authenticate you, after you've logged in the first time, to unlock it. Today, I was being lazy and didn't want to enter my login credentials, so I clicked "Login with Device".
Firefox's Bitwarden plugin shared a different fingerprint than expected.
I then tested using the "login with device" option on my iPad with the app downloaded from the Apple App Store. Fingerprint on both the iPad and my phone were the same.
I have now tested it on:
* Windows Firefox
* Mac OS X Firefox
* Windows Google Chrome
* Apple iPad app
Both versions of Firefox and now Google Chrome are all reporting different fingerprints than what my mobile phone shows.
This is concerning to me because that fingerprint is intended to validate which machine is attempting to log in and if they're different, it's probably a simple bug in the extensions; but I'm afraid that it could reflect a MitM attack on Chrome and Firefox extensions.
I have sent a report to Bitwarden about this (I have not root-caused this bug), but I wanted to get the alert out there in case this is a bigger concern for everyone.
edit: formatting
https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shatt...
Maybe someone else can confirm?