New Bitwarden update fix a huge vulnerability on Windows.... update now!
The open source Bitwarden password manager supports biometric authentication. Windows Hello is supported on Windows, so that users may use biometric authentication to access their passwords and other vault data. Up until recently, anyone could use the stored data to access the user's vault without authentication under certain circumstances.
The vulnerability allowed anyone with local access to a Windows machine with Bitwarden installed and Windows Hello unlocking enabled to view all vault contents. Attackers could also use API calls to alter data and have it updated on Bitwarden's server.
Bitwarden may set up unlocking of their vault on Windows through Windows Hello by selecting File > Settings > Unlock with Windows Hello in the desktop application. The password manager creates a biometric master key when the option is select and stores it inside the user's credential set on the system.
A correct implementation of the authentication option would prompt users for authentication before access to the vault is unlocked. A post on Hacker One explains that the authentication through Windows Hello was unneeded and that anyone with access to the system could comment out a line to unlock a user's vault without any form of authentication.
The author explains: "The biometric master key can in fact be retrieved with a simple call to the CredRead windows API function, and then used to decrypt the locally saved data present in %appdata%\Bitwarden\data.json. The Windows Hello authentication prompt therefore gives a false sense of security to the user, making it seem as if authentication is needed to decrypt vault data, when in reality it is not.".
The files can be read without elevation and they are accessible to any administrator account on the system as well. The issue affects Bitwarden users who have selected to use Windows Hello for unlocking vault access on Windows devices.
Now Read: how to use the password manager Bitwarden in Chrome, Edge and Firefox.
Fixing the issue
Bitwarden released an updated version for Windows that addresses the issue and implements Windows Hello authentication correctly. New and existing users may download the latest version from the official website. A click on Help > Check for updates in Bitwarden should return the update as well so that it is installed on the device.
Bitwarden users on Windows need to make sure that they have version 2023.4.0 or newer installed on their devices. The client displays the installed version when Help > About Bitwarden is selected.
The latest version of the Bitwarden applications includes a new security feature that is asking for a password or Pin at the start of the application when Windows Hello is used. This is found in the Settings as a new option.
In March, security experts recommended not to use a PIN to unlock the Bitwarden vault or to use a very strong PIN, as it would allow anyone with local access to brute force the PIN otherwise.
Now You: which password manager do you use?
@Martin,
The article concludes by asking “Now You: which password manager do you use?”
but I think it would be better to ask about “Windows Hello” (Whether it is used or not, reviewed, unlocked, etc.).
Seems like a simple “don’t use Windows Hello” would do, Martin.
Or better yet, “don’t use Windows”.
{Or better yet, “don’t use Windows”.}
Or better yet, use Windows with appropriate caution and ignore the naysayers who do not seem to understand that alternatives do not suit all of us and we get angry when people with no idea how we use our equipment think they know what we should do.
This article by Martin is very timely and informative.
I distrusted things like Siri and Cortana to begin with, and neither did “Windows Hello”.
This is because I could not deny the possibility that “personal information may be unintentionally collected” through the use of these tools, but there was no inconvenience even if I did not rely on these tools.
Although this article seems to focus on the “Bitwarden password manager vulnerability”, but it essentially highlights the problem with “Windows Hello”.
Under certain circumstances, anyone with local access to a Windows machine with “Windows Hello Unlock” enabled could authenticate using stored data. So, It was possible to access the user’s vault without.
Above all, “biometric authentication” is the ultimate personal information (impossible to change), so it is not possible for that data to be collected (held by a third party) or Data held by a third party can be leaked (for example, if the vault is compromised) is also a concern.
In the unlikely event that “biometric information” is leaked, misused (by intelligence agencies, etc.), or leaked to the black market, it will be irreversible.
In light of such risks, users should not use (enable) “biometric authentication” carelessly and should avoid “biometric authentication” as much as possible.
By the way, a wide variety of personal information such as login information and various IDs (passports, licenses, etc.) are all managed by a “password manager”. Reflecting on the experience of verge of death several times, I also considered “so that the bereaved family would not be in trouble”.
The devices I use are an iPad and a Windows desktop PC.
The password manager uses “Bitwarden desktop application, iOS application version” and “KeePass Password Safe 2” according to the importance of personal information.
The kind of personal information that can be changed is managed in “Bitwarden password manager”.
Everything is managed in KeePass Password Safe 2, and securely locked with VeraCrypt.
Its Bitwarden desktop app is
Version 2023.5.0
Shell 24.1.1
Renderer 112.0.5615.50
Node 18.14.0
Architecture x64
had been updated to the latest version.
Best part-article I’ve read in a long time, thanks. Shame I was interrupted by having to go and read that barely-related “Now Read” story though.
Are readers allowed to return and finish reading this story after they’ve read that one? There was nothing in that other story that told me to return to this story. Sorry, I wasn’t sure it was allowed so I didn’t.
Just doing what you’re telling us to…
/why-break-reader-focus_sarcasm