### Steps To Reproduce
1. Ensure that the vault contains secret items (e.g., …logins, secure notes, etc.), and that "Close to Tray icon" is enabled; to minimize known risks, also ensure that vault timeout is not set to "Never", and that PIN locking is disabled.
2. Log out from vault on Bitwarden client app, then fully exit the app using **File > Quit Bitwarden**.
3. Launch a memory inspector/editor utility. I used [HxD](https://mh-nexus.de/en/hxd/).
4. Launch Bitwarden client app. My results shown below are for the Desktop app, but I have confirmed that the same vulnerability exists in the Chrome browser extension, as well as in the web vault.
5. In the memory inspector utility, open the process memory for the Bitwarden client app. (In HxD, go to **Tools > Open main memory**). The Bitwarden desktop app has four processes, but only one of those will contain the decrypted vault and master password; you may need to repeat the memory searches described below in all four memory regions to find the correct process, but in my experience it is typically the process at the top of the list that contains the information we are looking for.
6. In the Bitwarden client app, perform the various actions described in the results section below (e.g., type master password on login screen, log in, lock, log out); after each action, click the "X" in the top right corner of the Bitwarden app to "close" the app to the systray, then bring another app into focus (e.g., the memory inspector app), and **wait 10 seconds** or longer (up to 4 hours in my tests) before proceeding with the memory search described in Steps 7-8 below.
7. In the memory inspector utility, refresh the view of the process memory. (In HxD, go to **View > Refresh**).
8. In the memory inspector utility, search the process memory for strings of interest, such as the master password, or contents of known vault items. (In HxD, go to **Search > Find > Text-string**, enter the search string, set the search direction to "All", and click **Search All**). Inspect the search results.
9. Repeat Steps 6-8 for various states of the vault.
### Expected Result
Based on Bitwarden documentation cited below, I expect the master password to either _never_ be stored in process memory (_"We do not keep the Master Password stored locally or in memory on the Bitwarden Client"_ [2][3]), or at worst, be stored only temporarily until it is no longer needed (_"The Master Password is cleared from memory after usage"_ [1])-- i.e., after calculation of the _Master Key_ and _Master Password Hash_.
Furthermore, I expect all vault data (i.e., decrypted secrets) to be to be cleared from process memory either immediately upon locking the vault (_"memory is cleaned up whenever the application is locked"_ [2],[3]), or at worst, within 10 seconds after locking the vault (_"We also reload the application's renderer process after 10 seconds of inactivity on the lock screen to make sure any managed memory addresses which have not yet been garbage collected are purged"_ [3]).
Obviously, the same expectations would also hold when one has **logged** out of an account, which is supposed to be even more safe than locking the vault (_"Logging out of your vault completely removes all vault data from your device"_ [4]).
**Sources:**
[1] From the [Bitwarden Security Whitepaper](https://bitwarden.com/help/bitwarden-security-white-paper/#user-data-protection):
>The Master Password is cleared from memory after usage
[2] From the [Bitwarden Security Whitepaper](https://bitwarden.com/help/bitwarden-security-white-paper/#overview-of-the-master-password-hashing,-key-derivation,-and-encryption-process):
>We do not keep the Master Password stored locally or in memory on the Bitwarden Client. Your encryption key (Symmetric Key) is kept in memory while the app is unlocked. This is needed to decrypt data in your Vault. When the Vault is locked, this data is purged from memory. After a certain time frame of inactivity on lock screen, we reload the application processes to make sure that any leftover managed memory addresses are also purged. We do our best to ensure that any data that may be in memory for the application to function is only held in memory for as long as you need it and that memory is cleaned up whenever the application is locked. We consider the application to be completely safe while in a locked state.
[3] From Bitwarden's [Security FAQ](https://bitwarden.com/help/security-faqs/#q-is-my-bitwarden-master-password-stored-locally):
>**Q: Is my Bitwarden master password stored locally?**
>**A: No.**
>We do not keep the master password stored locally or in memory. Your encryption key (derived from the master password) is kept in memory only while the app is unlocked, which is required to decrypt data in your vault. When the vault is locked, this data is purged from memory.
>
>We also reload the application's renderer process after 10 seconds of inactivity on the lock screen to make sure any managed memory addresses which have not yet been garbage collected are purged. We do our best to ensure that any data that may be in memory for the application to function is only held in memory for as long as you need it and that memory is cleaned up whenever the application is locked. We consider the application's encrypted data to be completely safe while the application is in a locked state.
[4] From [Bitwarden Online Help](https://bitwarden.com/help/vault-timeout/#vault-timeout-action):
>**Log Out**
>Logging out of your vault completely removes all vault data from your device.
### Actual Result
- Multiple instances of the clear-text master password are preserved in the process memory after locking the vault and even after logging out. In the two accounts that I have tested, one can find the master password even if it is _not_ known in advance, by searching for all instances of the string `{"nbf":`, and examing the 120 bytes (give or take) than precede each occurrence of the `{"nbf":` string.
- Decrypted vault secrets are preserved in clear-text in process memory after locking the vault and even after logging out.
- The only way for the user to ensure that sensitive information is cleared from local memory is to manually terminate the Bitwarden process. Arguably, quitting the app while the vault is _unlocked_ is safer than leaving the app running in the background while the vault is _logged out_.
### Screenshots or Videos
The vault that was used in the tests below had a master password `CorrectHorseBatteryStaple!@#`; for privacy reasons, screenshots that reveal the account email have been retouched to obfuscate the email address (so that it is displayed here as `[email protected]`). The vault stored a login item named _My Bank_ that contained the username `mybankaccount` and password `Password82Brut3F0rc3`, as well as a secure note titled _Important Info_ with the text `Secret PIN is 42`.
The screenshot in **Fig. 1** below shows 4 instances of the master password kept in memory after the password has been entered on the app login screen, but before completing the login process (by hitting the "Enter" key or clicking the "Log In" button). It seems that it would be unavoidable to keep one copy of the text entered into the keyboard buffer, at least until the login process has been completed, so this observation is mentioned primarily for completeness.
![bw02_pre_masterpw](https://user-images.githubusercontent.com/109386143/180622769-3cedeafb-4640-4f41-9031-a45c09720f83.jpg)
**Fig. 1. Stored master password prior to login.**
**Fig. 2** shows 11 instances of the full master password found after the login process had completed, including the original 4 instances (from **Fig. 1**), augmented by 7 additional copies of the master password. Thus, not only does the master password persist in memory past the point when its plain-text value is needed (because the _Master Key_ and _Master Password Hash_ have been already computed during login), but the number of instances of the plain-text master password has almost tripled. At least one of the copies of the master password is stored in close vicinity to a memory location holding the account email address.
![bw03_login_masterpw](https://user-images.githubusercontent.com/109386143/180622937-ef2c63eb-af21-4caa-9d93-20befbf0fb1d.jpg)
**Fig. 2. Stored master password (and account email) after login.**
The more concerning findings begin after locking the vault. As shown in **Fig. 3**, as many as 5 copies of the plain-text master password are still discoverable in process memory after the vault has been locked (even if inactive for more than 10 seconds). Again, the account email is found juxtaposed to at least one instance of the stored master password. Furthermore, the decrypted vault secrets (including item names, login usernames, login passwords, and secure notes) are also still present in memory in clear-text, even though the vault has been locked (see **Figs. 4-6**).
![bw04_lock_masterpw](https://user-images.githubusercontent.com/109386143/180622947-8a76d58c-9e03-44b5-9865-14795a868d1d.jpg)
**Fig. 3. Stored master password (and account email), visible in memory after the vault has been locked and inactive for 10 seconds or more.**
![bw06_lock_itemusername](https://user-images.githubusercontent.com/109386143/180622956-b8e17bf8-950a-435f-97a7-0bce4ceead63.jpg)
**Fig. 4. Decrypted login username, visible in memory after the vault has been locked and inactive for 10 seconds or more.**
![bw05_lock_itempw](https://user-images.githubusercontent.com/109386143/180622967-7b1911a9-4c80-4f9d-a5db-88ae171eaab0.jpg)
**Fig. 5. Decrypted login password, visible in memory after the vault has been locked and inactive for 10 seconds or more.**
![bw07_lock_note](https://user-images.githubusercontent.com/109386143/180622982-09968352-6e5f-444c-80de-8893509b6104.jpg)
**Fig. 6. Decrypted secure note, visible in memory after the vault has been locked and inactive for 10 seconds or more.**
After logging out of the locked `[email protected]` account (and allowing for a further 10 seconds or more of inactivity), it appears that the Bitwarden client app does not make any further attempts to purge sensitive information from memory. As shown in **Figs. 7-10**, the memory locations that had contained sensitive information in the locked state of the vault (**Figs. 3-6**) still contain the same information after logging out of the vault.
![bw08_logout_masterpw](https://user-images.githubusercontent.com/109386143/180622988-c50a7108-156a-48da-b954-b7b55cba8bd1.jpg)
**Fig. 7. Stored master password (and account email), visible in memory after the vault has been logged out and inactive for 10 seconds or more.**
![bw10_logout_itemusername](https://user-images.githubusercontent.com/109386143/180622996-a5dd56cc-c3e4-4521-ae86-fcbce8c44ca1.jpg)
**Fig. 8. Decrypted login username, visible in memory after the vault has been logged out and inactive for 10 seconds or more.**
![bw09_logout_itempw](https://user-images.githubusercontent.com/109386143/180623000-fec02480-7b0f-4660-9bcb-c7716a78c978.jpg)
**Fig. 9. Decrypted login password, visible in memory after the vault has been logged out and inactive for 10 seconds or more.**
![bw11_logout_note](https://user-images.githubusercontent.com/109386143/180623009-c0307c6d-000b-48eb-8b8c-33dfb5091f4f.jpg)
**Fig. 10. Decrypted secure note, visible in memory after the vault has been logged out and inactive for 10 seconds or more.**
In some tests, the Bitwarden client app has been left inactive for up to 4 hours after logging out, and the memory has still not been purged. It appears that the only method to ensure the plain-text master password and decrypted vault are cleared from memory is to terminate the app's process.
### Additional Context
This is basically a demonstration that the vulnerabilities described in the 2019 ISE report [Password Managers: Under the Hood of Secrets Management](https://www.ise.io/casestudies/password-manager-hacking/) still exist in Bitwarden in 2022. Interestingly, a 2019 [Reddit post](https://www.reddit.com/r/Bitwarden/comments/au87od/bitwarden_memory_test/) claims that the memory _is_ in fact cleared by the Bitwarden desktop app, but this claim is contradicted by the findings I have reported above. Perhaps the code base has changed since 2019.
The issues I have reported for the desktop client app also exist for the Chrome browser extension and for the web vault.
If the ability to scrub memory is limited due to programming language or framework, then at least the official Bitwarden documentation should not be making misleading statements about the memory management capabilities.
I would suggest an interim work-around of providing an option to have the vault timeout action include automatic termination of the running Bitwarden process. In addition, I recommend that the option "Close to Tray icon" be accompanied by a security warning.
### Operating System
Windows
### Operating System Version
Windows 10 (20H2 Build 19042.1826)
### Installation method
Direct Download (from bitwarden.com)
### Build Version
2022.6.2