I’m not sure if this is a known issue, but I was very surprised to discover this vulnerability. On my Android phone, Google Assistant somehow got activated, and on my phone, Google Assistant is launched by pressing the fingerprint reader. After much googling I finally figured out how to disable Google Assistant and how to disconnect the fingerprint reader from Google Assistant, but that’s when I discovered that my phone had forgotten my fingerprint. So, I added a new fingerprint. And then Bitwarden simply gave me access to all my passwords again, without asking for any other verification.
I haven’t tested this (don’t want to break anything), but it would seem that if one gets one’s hands on a phone that is unlocked (e.g. the real user had previously entered his finger pattern) with Bitwarden installed, one can get access to the passwords by simply setting up an additional fingerprint, and then logging in to Bitwarden using that new fingerprint.
Is this a known vulnerability? Does Bitwarden simply assume that anyone who is using an unlocked phone is the intended user of that phone and therefore should have access to all passwords?