The open source Bitwarden password manager supports biometric authentication. Windows Hello is supported on Windows, so that users may use biometric authentication to access their passwords and other vault data. Up until recently, anyone could use the stored data to access the user's vault without authentication under certain circumstances.
The vulnerability allowed anyone with local access to a Windows machine with Bitwarden installed and Windows Hello unlocking enabled to view all vault contents. Attackers could also use API calls to alter data and have it updated on Bitwarden's server.
Bitwarden may set up unlocking of their vault on Windows through Windows Hello by selecting File > Settings > Unlock with Windows Hello in the desktop application. The password manager creates a biometric master key when the option is select and stores it inside the user's credential set on the system.
A correct implementation of the authentication option would prompt users for authentication before access to the vault is unlocked. A post on
Hacker One explains that the authentication through Windows Hello was unneeded and that anyone with access to the system could comment out a line to unlock a user's vault without any form of authentication.
The author explains: "The biometric master key can in fact be retrieved with a simple call to the CredRead windows API function, and then used to decrypt the locally saved data present in %appdata%\Bitwarden\data.json. The Windows Hello authentication prompt therefore gives a false sense of security to the user, making it seem as if authentication is needed to decrypt vault data, when in reality it is not.".
The files can be read without elevation and they are accessible to any administrator account on the system as well. The issue affects Bitwarden users who have selected to use Windows Hello for unlocking vault access on Windows devices.
