Autofill a password in the username field on ProtonVPN App

Kunzisoft / KeePassDX

Lightweight vault and password manager for Android, KeePassDX allows editing encrypted data in a single file in KeePass format and fill in the forms in a secure way.

https://www.keepassdx.com/

GNU General Public License v3.0

4.32k stars 261 forks source link

Autofill a password in the username field on ProtonVPN App #960

Closed ghost closed 3 years ago

ghost commented 3 years ago

When you use Autofill in the ProtonVPN app, the password will be entered in the Username field. This will cause the password to show up on the app unexpectedly.

KeePassDX:

Version: v.2.9.17
Build: Pro
Language: English

Android:

Device: Pixel3a
Version: 11

ProtonVPN

2.6.91.0 (F-droid or Google Play)

J-Jamet commented 3 years ago

I just checked and it's normal.

2021-04-13 11:09:42.669 7372-7372/com.kunzisoft.keepass.pro D/com.kunzisoft.keepass.autofill.StructureParser: Autofill applicationId: ch.protonvpn.android
2021-04-13 11:09:42.669 7372-7372/com.kunzisoft.keepass.pro D/com.kunzisoft.keepass.autofill.StructureParser: Autofill password android text type: 0x00000091
2021-04-13 11:09:42.669 7372-7372/com.kunzisoft.keepass.pro D/com.kunzisoft.keepass.autofill.StructureParser: Autofill password android text type: 0x00000081

ProtonVPN app has defined the metadata of both fields as password fields : Username -> text | visible password Password -> text | password

So KeePassDX fills the first password field of the form. You should ask them to change the metadata of their first field.

J-Jamet commented 3 years ago

I can try to find a workaround but I'm afraid it will break other form recognitions.

inputIsVariationType(inputType,
        InputType.TYPE_TEXT_VARIATION_VISIBLE_PASSWORD) -> {
    // Some forms used visible password as username
    if (usernameCandidate == null && usernameValueCandidate == null) {
        usernameCandidate = autofillId
        usernameValueCandidate = node.autofillValue
        Log.d(TAG, "Autofill visible password android text type (as username): ${showHexInputType(inputType)}")
    } else if (result?.passwordId == null && result?.passwordValue == null) {
        result?.passwordId = autofillId
        result?.passwordValue = node.autofillValue
        Log.d(TAG, "Autofill visible password android text type (as password): ${showHexInputType(inputType)}")
        usernameNeeded = false
    }
}

ghost commented 3 years ago

FYI, Keepass2Android autofills the username and password correctly.

J-Jamet commented 3 years ago

KeePass2Android must use a workaround, this is not the problem. It's mostly that the form metadata is not the right one.

J-Jamet commented 3 years ago

I will apply the workaround code so that the visible password is detected as a username if there is no username already present and as a password if there is no password already present in the parser loop. This should work but we have to be careful not to have other side effects.