search

bitwarden / android

Bitwarden mobile app for Android.
https://bitwarden.com
GNU General Public License v3.0
6.46k stars 812 forks source link

Security issue when unlocking the vault via app. #875

Closed vishalnandagopal closed 4 years ago

vishalnandagopal commented 4 years ago

Describe the Bug

When you are entering the app, and it asks for the master password, there is an option to unhide password while typing it.(the 'eye' logo). it is hidden by default. So when you type the password, the keyboard app on your phone doesn't provide auto type predictions since it is being recognised as an password filed. But when you unhide the password and look at it, the keyboard app provides sugesstions. Which means when you unhide it, it is becoming a normal text field. Apps like GBoard and swiftkey collect all things you type except in password fields, so for all users who have used the 'see password', the keyboard has recorded it and stored in the servers.

Steps To Reproduce

  1. Open app
  2. Proceed to enter password, but with unhide password option on.
  3. You will see the keyboard suggesting words.

Expected Result

The keyboard should not suggest the next words, since it is a password.

Actual Result

It suggests the auto type words.

Environment

Please notify users to change password at your discretion, since it has recorded the password. Also, please please please interchange the logout and unlock option. UI flow is not maintained throughout the system.

kspearrin commented 4 years ago

@mportune-bw Shouldn't our IME options be stopping this from occuring? https://github.com/bitwarden/mobile/blob/master/src/Android/Renderers/CustomEntryRenderer.cs#L23-L24

vishalnandagopal commented 4 years ago

I'm sorry. I don't know what that is. Don't know coding.

In case you are referring to incognito mode of some keyboard app, not all keyboards have it.

the4anoni commented 4 years ago

I'm sorry. I don't know what that is. Don't know coding.

In case you are referring to incognito mode of some keyboard app, not all keyboards have it.

But gboard has incognito mode.

vishalnandagopal commented 4 years ago

Yes, but not every keyboard has that. every keyboard respects the password field and doesnt log the words typed. Incognito is not supported by 3rd party keyboards, like the MIUI one(example)

the4anoni commented 4 years ago

Yes, but not every keyboard has that. every keyboard respects the password field and doesnt log the words typed. Incognito is not supported by 3rd party keyboards, like the MIUI one(example)

Miui uses gboard.

vishalnandagopal commented 4 years ago

It uses some Chinese Mi Keyboard. Facemoji keyboard or something similar. https://play.google.com/store/apps/details?id=com.facemoji.lite.xiaomi.gp https://play.google.com/store/apps/details?id=com.mint.keyboard

mpbw2 commented 4 years ago

The Xamarin team has confirmed this (the inability to disable predictive text during input) as a bug in Forms. We'll integrate their fix once it's available to us.

https://github.com/xamarin/Xamarin.Forms/issues/10857