Resetting fingerprint on Android gives access to passwords

Ask the Community Password Manager
1

Hello

I’m not sure if this is a known issue, but I was very surprised to discover this vulnerability. On my Android phone, Google Assistant somehow got activated, and on my phone, Google Assistant is launched by pressing the fingerprint reader. After much googling I finally figured out how to disable Google Assistant and how to disconnect the fingerprint reader from Google Assistant, but that’s when I discovered that my phone had forgotten my fingerprint. So, I added a new fingerprint. And then Bitwarden simply gave me access to all my passwords again, without asking for any other verification.

I haven’t tested this (don’t want to break anything), but it would seem that if one gets one’s hands on a phone that is unlocked (e.g. the real user had previously entered his finger pattern) with Bitwarden installed, one can get access to the passwords by simply setting up an additional fingerprint, and then logging in to Bitwarden using that new fingerprint.

Is this a known vulnerability? Does Bitwarden simply assume that anyone who is using an unlocked phone is the intended user of that phone and therefore should have access to all passwords?

Samuel

2

Your case seems unusual to me. I don’t know what disconnecting fingerprint from google assistant means or does. I think it could be just a trigger to launch assistant.

The current android security doesn’t allow adding or deleting fingerprint/pattern without confirming the user identity again on accessing the unlock settings.

That said , no one can add additional fingerprint if you left your phone unlocked.

Also i don’t know what exactly you did that it forgot your fingerprint.
I would suggest to either look into the procedure again and maybe try again , if at any step you voluntarily removed biometrics from system.
Also maybe you could provide some steps to reproduce the problem with your OS and app version details if you believe there is indeed an issue with it.

Currently i don’t feel there is any security issue related to this and if there is one in your case all your apps would be affected by it and not only bitwarden.

3

Okay, fair enough. FWIW:

  1. In the past, I could unlock Bitwarden by pressing my finger against the fingerprint reader. But for the past week or two, pressing my finger against the fingerprint reader simply caused Google Assistant to pop up (even if I was in the Bitwarden app). I had to disable Google Assistant and I had to do something with the button, but I can’t remember what anymore (I just tried various settings out of frustration, and at some point pressing the fingerprint reader no longer caused Google Assistant to appear).
  2. By “forget the fingerprint” I mean that when I went into the device’s fingerprint settings, there was no fingerprint set up. I had to set up a fingerprint from scratch (which is a process during which you you select to “add” a fingerprint and then press your finger against the reader in a number of ways until the device says that it’s 100% okay).
  3. On my device (Nokia 6 2016), the fingerprint reader also acts as the Home button if you press it briefly.