This Week in Security: Bitwarden, Reverse RDP, and Snake

This week, we finally get the inside scoops on some old stories, starting with the Bitwarden Windows Hello problem from last year. You may remember, Bitwarden has an option to use Windows Hello as a vault unlock option. Unfortunately, the Windows credential API doesn’t actually encrypt credentials in a way that requires an additional Windows Hello verification to unlock. So a derived key gets stored to the credential manager, and can be retrieved through a simple API call. No additional biometrics needed. Even with the Bitwarden vault locked and application closed.


This is a companion discussion topic for the original entry at https://hackaday.com/2024/01/05/this-week-in-security-bitwarden-reverse-rdp-and-snake/