[mrguyorama]

AppData is specifically where apps store data, and there are and were plenty of legitimate examples where you want some code to access data from an app in there.

The entire point is that it is not meant to be a secure location, was never meant to be a secure location, has no intended security features etc. If you store your passwords in a text file on the desktop, that is also insecure but you would be wrong to say Notepad has a security vulnerability. Similarly, if you stored your passwords in the Windows registry unencrypted, that would also be insecure, but does not demonstrate a flaw in the Windows registry.

If you want to be able to leave your secrets in the open without them being compromised, then you encrypt them.

Browser password managers are not secure. That is not Window's fault.

[MiguelX413]

Regardless, full unrestricted disk access for all users and code is insecure.

[mrguyorama]

It isn't full unrestricted disk access for all users and all code. Any OTHER user, or code running with that user's permissions cannot access YOUR appdata directory. The appdata stuff was the running user's appdata. They already had total control of the user's machine, and in fact, had control of that user's domain administrator! This attack is only possible if you have control of the user's domain administrator AND data access to the user's machine so that you can use both the locally stored Bitwarden data AND the domain's backup decryption keys. The phone OS model wouldn't work here. The security compromise happened when the domain administrator account was breached.