Bitwarden releases new fix a serious vulnerability on their Windows version
Take action: If you are using Bitwarden on Windows, update your program. Or just don't use biometric authentication through Windows Hello. After the Lastpass databreach, it's smart to keep your password manager patched.
Learn More
The recently released update of Bitwarden for WIndows 2023.4.0 has addressed a significant vulnerability on the Windows platform. Bitwarden supports biometric authentication, specifically Windows Hello, which allows users to use their biometric data to access their password vaults. However, prior to the update, there was a flaw that allowed unauthorized access to the vaults under certain conditions.
The vulnerability enabled anyone with local access to a Windows device with Bitwarden and Windows Hello enabled to view all contents of a user's vault without any form of authentication. Moreover, attackers could manipulate data using API calls and have it reflected on Bitwarden's server.
To enable vault unlocking through Windows Hello, Bitwarden users could select the option by navigating to File > Settings > Unlock with Windows Hello in the desktop application. When this option was chosen, a biometric master key was generated and stored in the user's credential set on the system.
Ideally, the implementation of the authentication option should have prompted users to authenticate before unlocking access to the vault. However, any user with access to the system could edit a single a line of code and create a bypass of the biometric authentication process, giving a false sense of security to the user. The authentication prompt still existed but it just misled users into believing that authentication was required to decrypt vault data, when in reality it was not.
This issue specifically affected Bitwarden users who had opted to use Windows Hello for unlocking vault access on Windows devices.
To resolve the issue, Bitwarden released an updated version for Windows that rectifies the vulnerability and implements Windows Hello authentication correctly. Both new and existing users can download the latest version from the official Bitwarden website. Alternatively, users can check for updates within the Bitwarden application by selecting Help > Check for updates and installing the available update.
Bitwarden users on Windows should ensure that they have version 2023.4.0 or a newer version installed on their devices. The currently installed version can be checked by selecting Help > About Bitwarden within the application.
The latest version of the Bitwarden application includes a new security feature that prompts users to enter a password or PIN when launching the application with Windows Hello. This option can be found in the Settings menu.
