[Bug] Bitwarden autofills passwords after "Vault timeout" expires

bitwarden / android

Bitwarden mobile app for Android.

https://bitwarden.com

GNU General Public License v3.0

6.61k stars 824 forks source link

[Bug] Bitwarden autofills passwords after "Vault timeout" expires #2445

Closed MahdiNazemi closed 1 year ago

MahdiNazemi commented 1 year ago

Steps To Reproduce

Set "Vault timeout" to "4 hours"
Set "Vault timeout action" to "Log out"
Set "Unlock with Face ID" to "On"
Use password autofill in an app
Wait for the "Vault timeout" to expire
Use password autofill in an app

Expected Result

Bitwarden is expected to ask for the master password and TOTP key.

Actual Result

While using the Priority Pass app, Bitwarden showed a number of autocomplete options and filled in my password. It did not ask me to log in to Bitwarden although my last login was the day before.

I was surprised to see this behavior, so I immediately opened Bitwarden. I was then asked to log in to unlock my vault.

Screenshots or Videos

No response

Additional Context

No response

Operating System

iOS

Operating System Version

16.3.1

Device

iPhone XS

Build Version

2023.3.1

Beta

[ ] Using a pre-release version of the application.

SergeantConfused commented 1 year ago

Hi @MahdiNazemi,

Thank you for your report. I attempted to reproduce your issue and was unable to do so. I tested this on iOS 16.3.1 with Bitwarden 2023.3.1, with the Vault Timeout set to 5 minutes; Once 5 minutes passed, I was asked to log into the account whilst attempting to perform Auto-Fill or when opening the Bitwarden client. I would recommend that you start with a fresh installation; Please uninstall Bitwarden off your iOS device, turn your device off (long press) and back on, install Bitwarden anew from the Apple App Store, and test that once more.

If this persists, please write us back using our contact form, so we can continue troubleshooting: https://bitwarden.com/contact/ and you can include a link to this issue in the body of your message.

Alternatively, you can get assistance from other Bitwarden users on our community forums (https://community.bitwarden.com/c/support/).

We use GitHub issues as a place to track bugs and other development related issues; This issue will be now closed.

Thank you again,

MahdiNazemi commented 1 year ago

@SergeantConfused, I faced this bug again when I was trying to autofill in Safari. I will try to take screenshots next time to share them with your support team.

This bug essentially allows access to the vault when access should be denied.

MahdiNazemi commented 1 year ago

I have encountered this bug repeatedly since installing Bitwarden. I am uncertain as to what distinguishes my configuration from yours, resulting in this problem.

@SergeantConfused, Is there a way to log the app's behavior to help identify the issue and fix it? Can you retry with 4 hours please?

I suspect that the majority of users opt for the "lock vault on timeout" option instead of the "log out" option, hence explaining the scarcity of individuals experiencing this issue.