Open Infinity-167 opened 8 months ago
Hi @Infinity-167,
Thank you for this report. Just to make sure that you and I are on the same page, if you click on (Edit) in the Bitwarden browser extension in Firefox, are you asked to enter your master password as part of the Master Password Re-prompt function?
I ask because of this (https://bitwarden.com/help/managing-items/#protect-individual-items).
Thank you in advance,
Hi @Infinity-167,
Thank you for this report. Just to make sure that you and I are on the same page, if you click on (Edit) in the Bitwarden browser extension in Firefox, are you asked to enter your master password as part of the Master Password Re-prompt function?
I ask because of this (https://bitwarden.com/help/managing-items/#protect-individual-items).
Thank you in advance,
Hello @SergeantConfused,
Yes, when I click on EDIT it asks me to re-enter my Master Password when it's supposed to prevent me from seeing the contents of my Secure Note before I enter my Master Password. It seems to only prevent you from editing but not locking the Secure Note. I have all kinds of sensitive information there like hints for my banking password, or even the password itself, security questions and answers, etc which I want them locked, which is a function in LastPass and should have looked exactly like the link you provided (https://bitwarden.com/help/managing-items/#protect-individual-items) but on the page it says only viewing hidden fields (e.g. passwords, hidden custom fields, credit card numbers) will require you to re-enter your master password. Why is a note (called Secure Notes) which contains passwords, etc not considered sensitive information? I think this needs to be fixed, because anyone can see the contents of my Secure Notes if they click on it without having to enter any password even though I have the Master Password Re-prompt enabled. It only seems to work in the Web vault (https://vault.bitwarden.com/).
This also happens for the Chromium-based extension. At this time you can always read the content of secure notes without entering the master password. Same for Android as the issue pointes.
Protected note contents should not be readable without entering the master password @SergeantConfused. That's the point of 'protected' and 'secure'. Hope it gets fixed. Cheers :)
Related to / counterpart of: https://github.com/bitwarden/mobile/issues/3135
This seems to be the case with cards and logins as well. The master password re-prompt field is no longer in the UI, even though it says I need to turn it off to edit the auto-fill field. I can also edit and view hidden fields without entering my master password.
Steps To Reproduce
Expected Result
I expect the Master Password Re-Prompt to appear the same way it appeared in the Web vault in my Desktop Firefox Extension and Bitwarden Android Mobile App.
Actual Result
I can see all of my Secure Notes without entering my Master Password. The Master Password Re-Prompt only seems to be working on the Web vault.
Screenshots or Videos
No response
Additional Context
Other desktop browser extensions other than Firefox and mobile platform like iOS App maybe affected too.
Operating System
Windows, Android
Operating System Version
Windows 10, Android 13
Web Browser
Firefox
Browser Version
122.0
Build Version
2024.1.1
Issue Tracking Info