Master Password Re-Prompt not working in Desktop Firefox Extension and Bitwarden Android Mobile App

[Infinity-167]

Steps To Reproduce

1. Go to Bitwarden Web vault - https://vault.bitwarden.com
2. Create a Secure Note and check the "Master Password Re-Prompt at the bottom" and save it.
3. Open the Secure Note you just created, and you'll be asked to re-enter the Master Password.

Expected Result

I expect the Master Password Re-Prompt to appear the same way it appeared in the Web vault in my Desktop Firefox Extension and Bitwarden Android Mobile App.

Actual Result

I can see all of my Secure Notes without entering my Master Password. The Master Password Re-Prompt only seems to be working on the Web vault.

Screenshots or Videos

No response

Additional Context

Other desktop browser extensions other than Firefox and mobile platform like iOS App maybe affected too.

Operating System

Windows, Android

Operating System Version

Windows 10, Android 13

Web Browser

Firefox

Browser Version

122.0

Build Version

2024.1.1

Issue Tracking Info

• [X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[SergeantConfused]

Hi @Infinity-167,

Thank you for this report. Just to make sure that you and I are on the same page, if you click on (Edit) in the Bitwarden browser extension in Firefox, are you asked to enter your master password as part of the Master Password Re-prompt function?

I ask because of this (https://bitwarden.com/help/managing-items/#protect-individual-items).

Thank you in advance,

[Infinity-167]

Hi @Infinity-167,

Thank you for this report. Just to make sure that you and I are on the same page, if you click on (Edit) in the Bitwarden browser extension in Firefox, are you asked to enter your master password as part of the Master Password Re-prompt function?

I ask because of this (https://bitwarden.com/help/managing-items/#protect-individual-items).

Thank you in advance,

Hello @SergeantConfused,

Yes, when I click on EDIT it asks me to re-enter my Master Password when it's supposed to prevent me from seeing the contents of my Secure Note before I enter my Master Password. It seems to only prevent you from editing but not locking the Secure Note. I have all kinds of sensitive information there like hints for my banking password, or even the password itself, security questions and answers, etc which I want them locked, which is a function in LastPass and should have looked exactly like the link you provided (https://bitwarden.com/help/managing-items/#protect-individual-items) but on the page it says only viewing hidden fields (e.g. passwords, hidden custom fields, credit card numbers) will require you to re-enter your master password. Why is a note (called Secure Notes) which contains passwords, etc not considered sensitive information? I think this needs to be fixed, because anyone can see the contents of my Secure Notes if they click on it without having to enter any password even though I have the Master Password Re-prompt enabled. It only seems to work in the Web vault (https://vault.bitwarden.com/).

[t3pot]

This also happens for the Chromium-based extension. At this time you can always read the content of secure notes without entering the master password. Same for Android as the issue pointes.

Protected note contents should not be readable without entering the master password @SergeantConfused. That's the point of 'protected' and 'secure'. Hope it gets fixed. Cheers :)

Related to / counterpart of: https://github.com/bitwarden/mobile/issues/3135

[Luke-zhang-04]

This seems to be the case with cards and logins as well. The master password re-prompt field is no longer in the UI, even though it says I need to turn it off to edit the auto-fill field. I can also edit and view hidden fields without entering my master password.