Exporting Bitwarden Vault Items When Master Password Is Forgotten But TouchID Unlock Is Enabled

Disclaimer: If you have access to your Bitwarden Vault items, it’s best to make a copy of all vault items ASAP. Create a new Bitwarden account without logging out of the old account, SAVE A COPY OF THE NEW ACCOUNT’S MASTER PASSWORD, and then copy vault items into the new account manually. Tampering with Bitwarden is NOT recommended, and could result in you losing access to all items!

When Bitwarden’s vault is unlocked via TouchID, you can view all passwords in the vault. However, when using the Export Vault feature, the application still asks for the master password. I needed to export passwords from the vault, but didn’t have access to the Master Password.

Digging through BitWarden’s code, we can see the Master Password obtained by the Export Dialog isn’t used in the decryption process. It only used to check if the vault decryption key already stored in memory is derived from the entered value:

        const keyHash = await this.cryptoService.hashPassword(this.masterPassword, null);
        const storedKeyHash = await this.cryptoService.getKeyHash();
        if (storedKeyHash != null && keyHash != null && storedKeyHash === keyHash) {
            try {
                this.formPromise = this.getExportData();
                const data = await this.formPromise;
                this.downloadFile(data);
                this.saved();
                await this.collectEvent();
            } catch { }

https://github.com/bitwarden/jslib/blob/92df63304029049891a46d575612222fb9b6c325/src/angular/components/export.component.ts#L43-L52

By Patching the if statement to always be true, such as changing storedKeyHash != to storedKeyHash ||, the master password check can be bypassed with any password. On MacOS, the code of the export flow is within /Applications/Bitwarden.app/Contents/Resources/app.asar. You have to be root to edit the file.

Leave a Reply

Your email address will not be published. Required fields are marked *