# Exporting data from a local Bitwarden vault without knowing the master password

## Foreword

After changing my account master password and re-authenticating the desktop app, I tried to access an individually protected item in my vault before becoming overtaken by brain fog. I panicked, thinking all the protected credentials in my vault would be lost and I would have to export the remaining non-protected credential one by one, knowing the export function was protected by a credential prompt.

After digging around in the JavaScript, I found the following workaround, allowing for a full vault export without knowing the master password. You can then delete the account, create a new one, and import this exported file, keeping all items in the vault.

***Don't panic! Your data is secure as long as an attacker doesn't have physical access to your machine. Once an attacker has physical access to a machine, virtually no software protection can mitigate access of data.***

{% hint style="warning" %}
Bitwarden are aware these protections can be bypassed. They add a warning under [this section](https://bitwarden.com/help/managing-items/#protect-individual-items). 
{% endhint %}

<figure><img src="/files/Wm8WyScCqjYk55A10YeW" alt=""><figcaption><p>Bitwarden recommends "never leaving your vault unlocked".</p></figcaption></figure>

## Method

{% hint style="info" %}
This bypass requires you to have enabled an alternate 'unlocking method', either with a [PIN ](https://bitwarden.com/help/unlock-with-pin/)or with [Windows Hello (Biometrics/Fingerprint)](https://bitwarden.com/help/biometrics/).&#x20;
{% endhint %}

<div><figure><img src="/files/BdBly0z18kx0Gtd8BS6C" alt=""><figcaption><p>✅ Unlock with biometrics enabled</p></figcaption></figure> <figure><img src="/files/feeMpyi0SgUnsK9ir9O6" alt=""><figcaption><p>✅ Unlock with PIN enabled</p></figcaption></figure></div>

1. Unlock the vault using either PIN or Biometrics
2. In the toolbar, select **View**, **Toggle Developer Tools**
3. In the toolbar, select **File**, **Export Vault**
4. In the **Developer Tools** window, go to the Elements tab and expand the head section
5. Right click **app/main.js**, **Reveal in Sources panel**

   <figure><img src="/files/1eqAZopDSswUeu4h9UBF" alt=""><figcaption><p>Right click <strong>app/main.js</strong>, <strong>Reveal in Sources panel</strong></p></figcaption></figure>
6. **Press the beautify button highlighted below**

   <figure><img src="/files/dCP6aj8PUvsb0kT6TGQv" alt=""><figcaption></figcaption></figure>
7. Press **CTRL + F,** searching for ***compareAndUpdateKeyHash***

   <figure><img src="/files/kuWlFw1hlv3ePYp2mRsW" alt=""><figcaption><p>In this version, 2022.12.0, it is line 31731</p></figcaption></figure>
8. Identify the constructor for the retrieval of the stored master hash, it will reference ***LocalAuthorization***
9. Add a breakpoint to the if statement (click the line number)

   <figure><img src="/files/ejzR8840s6BSRVaroK2W" alt=""><figcaption><p> <strong>n</strong> &#x26; <strong>i</strong> variables are explained for reference</p></figcaption></figure>
10. Return to Bitwarden and enter any text into the password field

    <figure><img src="/files/egPT5pKPf9Jdh11jMFRz" alt=""><figcaption><p>The password is usually covered, I have uncovered for reference</p></figcaption></figure>
11. Press the Download button, the breakpoint will be hit and the program halted

    <figure><img src="/files/clkZ10IskLTE65oL2fOn" alt=""><figcaption><p>Note the <strong>n</strong> and <strong>i</strong> variables on the right, these are the hashed values of our fake password and stored master password.</p></figcaption></figure>
12. Press the **Console** tab at the top of Developer tools, and enter ***n = i**, then press enter (return)*

    <figure><img src="/files/db1KCE7UIMGzWsmaLuTt" alt=""><figcaption><p>This overwrites the hash of our fake password with the correct stored password hash.<br>This method of attack is known as <a href="https://en.wikipedia.org/wiki/Pass_the_hash">Pass The Hash</a>.</p></figcaption></figure>
13. Go back to the Bitwarden Export view and resume execution

    <figure><img src="/files/CWZgEbQnoLlGED3RKzES" alt=""><figcaption><p>Press the Resume button (Mix of play and pause, blue button)</p></figcaption></figure>
14. You will then be asked where to save the export file

    <figure><img src="/files/faMERCCLYACNtPChzcly" alt=""><figcaption></figcaption></figure>
15. All done. If you have forgotten your master password, [delete your account](https://vault.bitwarden.com/#/recover-delete), then create it afresh and [import this export](https://bitwarden.com/help/import-data/).

## Next Steps / Further Research

* [ ] Investigate if exporting browser profiles exports the configuration/database of Bitwarden, essentially allowing for password stealing on other machines.
* [x] ~~Investigate if the vault unlock can be bypassed with the stored hash~~ **Edit: It can't.**
* [ ] Investigate browser extension to see if also exploitable
* [ ] Investigate DPAPI and Credential Manager to retrieve encryption keys
* [ ] Investigate and reverse engineer local cached database, using above keys


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://reidanb.gitbook.io/home/blog/exporting-data-from-a-local-bitwarden-vault-without-knowing-the-master-password.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.