Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bitwarden desktop app allows laptop password to unlock vault #10444

Open
1 task done
Jack15911 opened this issue Aug 8, 2024 · 1 comment
Open
1 task done

Bitwarden desktop app allows laptop password to unlock vault #10444

Jack15911 opened this issue Aug 8, 2024 · 1 comment
Labels
browser Browser Extension bug

Comments

@Jack15911
Copy link

Steps To Reproduce

  1. Go to MacOS BW Desktop app and login/unlock
  2. Ensure Firefox browser extension in Account Security has clicked "Unlock with Biometrics," and Desktop app Security has "Unlock with Touch ID" and "Ask for TouchID on app start."
  3. Lock both instances, MacOS by using app menu bar, "Bitwarden/Lock Vault," and Firefox Bitwarden extension by selecting the vault initials in the upper right of the popup screen and selecting "Lock now."
  4. Attempt to unlock the Bitwarden extension by choosing "Unlock with Biometrics." using fingerprint biometrics; a popup box will reject this approach because Desktop app is locked.
  5. Attempt to unlock desktop app by choosing "Unlock with Touch ID" on the lock screen; this attempt does present you a TouchID screen.
  6. Present an erroneous fingerprint three times; it will fail to open three times, but on the third, it will give you an option of using your laptop password. This will unlock your Desktop app vault, even if your laptop password is "abc123," or "ilovemycat."

Expected Result

Failed TouchID attempts should require Bitwarden Master Password, not a weak laptop password.

Actual Result

The Firefox extension fingerprint/TouchID failure process is good - it requires the Bitwarden Master Password. There is a different, weaker failure process for the Desktop app's TouchID fingerprint failure - the Desktop app will unlock with the laptop password.

Screenshots or Videos

No response

Additional Context

There are reasons for sharing a laptop password, including relatives and repair people, though they shouldn't have access to your Bitwarden vault. This failure mode also occurs with WiFi-Off, so Logging off every device would have no effect.

Operating System

macOS

Operating System Version

Sonoma 14.5

Web Browser

Firefox

Browser Version

129.0

Build Version

2024.7.1

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
@Jack15911 Jack15911 added browser Browser Extension bug labels Aug 8, 2024
@quexten
Copy link
Contributor

quexten commented Aug 8, 2024
edited
Loading

Hi @Jack15911 , thank you for your report.

This behaviour is a platform limitation of electrons touchid implementation. Electron is the desktop application framework Bitwarden Desktop is based on.

However, one upcoming change to biometrics will be the transition to a newer version of Apple's keychain API, using a native (rust/objective-c) implementation. During this upgrade, the biometric unlock will be locked down to biometricCurrent, i.e the currently registered set of fingerprints (and probably companion, i.e apple watch). This will prevent the laptop password from being used for unlocking.

I will update this issue once those changes have made it into the client.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
browser Browser Extension bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@quexten @Jack15911