- Aug 17, 2014
The open source Bitwarden password manager supports biometric authentication. Windows Hello is supported on Windows, so that users may use biometric authentication to access their passwords and other vault data. Up until recently, anyone could use the stored data to access the user's vault without authentication under certain circumstances.
The vulnerability allowed anyone with local access to a Windows machine with Bitwarden installed and Windows Hello unlocking enabled to view all vault contents. Attackers could also use API calls to alter data and have it updated on Bitwarden's server.
Bitwarden may set up unlocking of their vault on Windows through Windows Hello by selecting File > Settings > Unlock with Windows Hello in the desktop application. The password manager creates a biometric master key when the option is select and stores it inside the user's credential set on the system.
A correct implementation of the authentication option would prompt users for authentication before access to the vault is unlocked. A post on Hacker One explains that the authentication through Windows Hello was unneeded and that anyone with access to the system could comment out a line to unlock a user's vault without any form of authentication.
The author explains: "The biometric master key can in fact be retrieved with a simple call to the CredRead windows API function, and then used to decrypt the locally saved data present in %appdata%\Bitwarden\data.json. The Windows Hello authentication prompt therefore gives a false sense of security to the user, making it seem as if authentication is needed to decrypt vault data, when in reality it is not.".
The files can be read without elevation and they are accessible to any administrator account on the system as well. The issue affects Bitwarden users who have selected to use Windows Hello for unlocking vault access on Windows devices.
Bitwarden released an updated version for Windows that addresses the issue and implements Windows Hello authentication correctly. New and existing users may download the latest version from the official website. A click on Help > Check for updates in Bitwarden should return the update as well so that it is installed on the device.
Bitwarden users on Windows need to make sure that they have version 2023.4.0 or newer installed on their devices. The client displays the installed version when Help > About Bitwarden is selected.
The latest version of the Bitwarden applications includes a new security feature that is asking for a password or Pin at the start of the application when Windows Hello is used. This is found in the Settings as a new option.
Earlier versions of Bitwarden for Windows implemented support for Windows Hello incorrectly, which allowed anyone with local access to see all vault data without authentication.