💾Exporting data from a local Bitwarden vault without knowing the master password

Forgotten your Bitwarden master password but still have access to your vault via PIN or Biometrics? By manipulating the JavaScript of the Desktop app, you can easily bypass the credential prompt.

Foreword

After changing my account master password and re-authenticating the desktop app, I tried to access an individually protected item in my vault before becoming overtaken by brain fog. I panicked, thinking all the protected credentials in my vault would be lost and I would have to export the remaining non-protected credential one by one, knowing the export function was protected by a credential prompt.

After digging around in the JavaScript, I found the following workaround, allowing for a full vault export without knowing the master password. You can then delete the account, create a new one, and import this exported file, keeping all items in the vault.

Don't panic! Your data is secure as long as an attacker doesn't have physical access to your machine. Once an attacker has physical access to a machine, virtually no software protection can mitigate access of data.

Bitwarden are aware these protections can be bypassed. They add a warning under this section.

Bitwarden recommends "never leaving your vault unlocked".

Method

This bypass requires you to have enabled an alternate 'unlocking method', either with a PIN or with Windows Hello (Biometrics/Fingerprint).

✅ Unlock with biometrics enabled

✅ Unlock with PIN enabled

1. Unlock the vault using either PIN or Biometrics

2. In the toolbar, select View, Toggle Developer Tools

3. In the toolbar, select File, Export Vault

4. In the Developer Tools window, go to the Elements tab and expand the head section

5. Right click app/main.js, Reveal in Sources panel

   

   Right click app/main.js, Reveal in Sources panel
6. Press the beautify button highlighted below

   
7. Press CTRL + F, searching for compareAndUpdateKeyHash

   

   In this version, 2022.12.0, it is line 31731
8. Identify the constructor for the retrieval of the stored master hash, it will reference LocalAuthorization

9. Add a breakpoint to the if statement (click the line number)

   

   n & i variables are explained for reference
10. Return to Bitwarden and enter any text into the password field

    

    The password is usually covered, I have uncovered for reference
11. Press the Download button, the breakpoint will be hit and the program halted

    

    Note the n and i variables on the right, these are the hashed values of our fake password and stored master password.
12. Press the Console tab at the top of Developer tools, and enter n = i, then press enter (return)

    

    This overwrites the hash of our fake password with the correct stored password hash. This method of attack is known as Pass The Hash.
13. Go back to the Bitwarden Export view and resume execution

    

    Press the Resume button (Mix of play and pause, blue button)
14. You will then be asked where to save the export file

    
15. All done. If you have forgotten your master password, delete your account, then create it afresh and import this export.

Next Steps / Further Research

• Investigate if exporting browser profiles exports the configuration/database of Bitwarden, essentially allowing for password stealing on other machines.

• Investigate if the vault unlock can be bypassed with the stored hash Edit: It can't.

• Investigate browser extension to see if also exploitable

• Investigate DPAPI and Credential Manager to retrieve encryption keys

• Investigate and reverse engineer local cached database, using above keys