Attack vectors - Vault LOCKED vs UNLOCKED

Of course, if a threat actor gains physical access while a vault is unlocked the number of ways they can then exploit the vault are endless.

Let’s remove physical access as a possibility.

In what way can an attacker exploit an unlocked vault?

In what ways can an attacker exploit a locked vault?

I think you may have to differentiate academic/targeted attacks from common malware attacks as well. Academic and common malware often have descriptions, sometimes possibly incomplete, whereas targeted attacks are left to what is technically possible, and to your imaginations (exploits, chain of exploits, zero-day exploits, etc.)

The common malware attacks on PCs that are related to Bitwarden are: encrypted vault exfiltration, keylogging, and clipboard sniffing. Encrypted vault exfiltration without keylogging exposes vaults with weak master passwords and with PIN-locked, password not required on restart, configuration. Encrypted vault exfiltration with keylogging possibly exposes everything. Clipboard sniffing without keylogging is probably confined to crypto-asset thefts, but possibly exposes credentials, one at a time, for people using copy-and-paste.

I am not as familiar with extension malware, but I can imagine them stealing one credential at a time, or the entire online vault with no 2FA/weaker 2FA.

Android malware without additional exploits seems rather limited. It appears to me you can capture one screen at a time, with the password being shown.

I will make the following assumptions:

• We are only discussing attacks that are carried out with today’s technology (i.e., “harvest now/decrypt later” using quantum computers of the future is not included in the threat model).
• Your master password was randomly generated, and has at least 50 bits of entropy (if the first assumption is not valid, then this minimum entropy threshold will need to be adjusted accordingly).
• Your master password is unique (not used for purposes other than unlocking or logging into your Bitwarden apps), and confidential (never disclosed to others — including the ability to resist or avoid social engineering and “five dollar wrench” attacks).
• You have not disabled the security option “Lock with master password on restart” when locking the vault with a PIN or biometrics.
• You have not set the Vault Timeout to “Never”

They cannot. Under the assumptions given above, the unlocked vault is uncrackable; thus, even if the encrypted vault cache is stolen from your local device, it will be of practically no value to the attacker (at worst, they will get your email address and be able to send you spam emails).

The biggest vulnerability will be a (hypothetical) info-stealer malware that exfiltrates the contents of Bitwarden’s process memory, thereby gaining access to the decrypted contents of your entire vault. It is also possible for credentials to be stolen one-by-one as they are used, either by scraping clipboard contents, taking screenshots, or through XSS attacks using hidden form fields on the webistes you visit.

In addition to the two states that you have asked about (locked vs. unlocked), you are also vulnerable during the unlock process. When logging into or unlocking a locked vault, you would be at risk of phishing or AiTM attacks, as well as key-loggers or malware that steals session tokens.