New Update Bitwarden Desktop client update fixes access vulnerability on Windows

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
9,964
The open source Bitwarden password manager supports biometric authentication. Windows Hello is supported on Windows, so that users may use biometric authentication to access their passwords and other vault data. Up until recently, anyone could use the stored data to access the user's vault without authentication under certain circumstances.

The vulnerability allowed anyone with local access to a Windows machine with Bitwarden installed and Windows Hello unlocking enabled to view all vault contents. Attackers could also use API calls to alter data and have it updated on Bitwarden's server.

Bitwarden may set up unlocking of their vault on Windows through Windows Hello by selecting File > Settings > Unlock with Windows Hello in the desktop application. The password manager creates a biometric master key when the option is select and stores it inside the user's credential set on the system.

A correct implementation of the authentication option would prompt users for authentication before access to the vault is unlocked. A post on Hacker One explains that the authentication through Windows Hello was unneeded and that anyone with access to the system could comment out a line to unlock a user's vault without any form of authentication.

The author explains: "The biometric master key can in fact be retrieved with a simple call to the CredRead windows API function, and then used to decrypt the locally saved data present in %appdata%\Bitwarden\data.json. The Windows Hello authentication prompt therefore gives a false sense of security to the user, making it seem as if authentication is needed to decrypt vault data, when in reality it is not.".

The files can be read without elevation and they are accessible to any administrator account on the system as well. The issue affects Bitwarden users who have selected to use Windows Hello for unlocking vault access on Windows devices.
Bitwarden released an updated version for Windows that addresses the issue and implements Windows Hello authentication correctly. New and existing users may download the latest version from the official website. A click on Help > Check for updates in Bitwarden should return the update as well so that it is installed on the device.

Bitwarden users on Windows need to make sure that they have version 2023.4.0 or newer installed on their devices. The client displays the installed version when Help > About Bitwarden is selected.

The latest version of the Bitwarden applications includes a new security feature that is asking for a password or Pin at the start of the application when Windows Hello is used. This is found in the Settings as a new option.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top