Potential security issue with the Bitwarden Android app

tangerine · January 23, 2024, 9:37pm

I’ve discovered what I believe to be a potential security issue with the Bitwarden Android app. The issue is that you can unlock the vault by simply clearing the app from recents right after locking it.

Steps to reproduce:

Launch and unlock Bitwarden vault
Tap the three dot menu button in the top right, then tap ‘Lock’
Wait a second or so, then clear Bitwarden from your recents.
Open Bitwarden again, it will automatically unlock as if it was never locked

Screen recording:
bitwarden-issue-ezgif.com-video-to-gif-converter

Note that this issue only occurs when ‘Session timeout’ is set to ‘Never’, but when manually locking the vault it should stay locked, right?

DoctorB · January 23, 2024, 9:50pm

Same behaviour on my Android phone with timeout set to never.
Works OK when timeout set to 5 minutes which I normally do.

IMHO yes.

Neuron5569 · January 24, 2024, 8:45pm

You might also be interested in searching for/filing a bug at: Issues · bitwarden/clients · GitHub

sj-bitwarden · January 25, 2024, 8:28pm

Hi @tangerine Thanks for reporting this issue!

We have been unable to reproduce this error consistently. Can you please share more details about your device and Android version so we can investigate further? You can also open a Support Ticket (on the right side of the page) so we can communicate directly if you prefer.