search

bitwarden / mobile

Retired Bitwarden mobile app for iOS and Android (MAUI/Xamarin).
https://bitwarden.com
GNU General Public License v3.0
140 stars 21 forks source link

Security issue when unlocking the vault via app. #875

Closed JbcfNA3IUHxumZqxhdO5IefndfA2fgCIwRSO06W closed 4 years ago

JbcfNA3IUHxumZqxhdO5IefndfA2fgCIwRSO06W commented 4 years ago

Describe the Bug

When you are entering the app, and it asks for the master password, there is an option to unhide password while typing it.(the 'eye' logo). it is hidden by default. So when you type the password, the keyboard app on your phone doesn't provide auto type predictions since it is being recognised as an password filed. But when you unhide the password and look at it, the keyboard app provides sugesstions. Which means when you unhide it, it is becoming a normal text field. Apps like GBoard and swiftkey collect all things you type except in password fields, so for all users who have used the 'see password', the keyboard has recorded it and stored in the servers.

Steps To Reproduce

  1. Open app
  2. Proceed to enter password, but with unhide password option on.
  3. You will see the keyboard suggesting words.

Expected Result

The keyboard should not suggest the next words, since it is a password.

Actual Result

It suggests the auto type words.

Environment

Please notify users to change password at your discretion, since it has recorded the password. Also, please please please interchange the logout and unlock option. UI flow is not maintained throughout the system.

pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P commented 4 years ago

@mportune-bw Shouldn't our IME options be stopping this from occuring? https://github.com/bitwarden/mobile/blob/master/src/Android/Renderers/CustomEntryRenderer.cs#L23-L24

JbcfNA3IUHxumZqxhdO5IefndfA2fgCIwRSO06W commented 4 years ago

I'm sorry. I don't know what that is. Don't know coding.

In case you are referring to incognito mode of some keyboard app, not all keyboards have it.

onIKnh7BQsMiYbEwaT7PFjO9dLTD3pcFKaVyELo commented 4 years ago

I'm sorry. I don't know what that is. Don't know coding.

In case you are referring to incognito mode of some keyboard app, not all keyboards have it.

But gboard has incognito mode.

JbcfNA3IUHxumZqxhdO5IefndfA2fgCIwRSO06W commented 4 years ago

Yes, but not every keyboard has that. every keyboard respects the password field and doesnt log the words typed. Incognito is not supported by 3rd party keyboards, like the MIUI one(example)

onIKnh7BQsMiYbEwaT7PFjO9dLTD3pcFKaVyELo commented 4 years ago

Yes, but not every keyboard has that. every keyboard respects the password field and doesnt log the words typed. Incognito is not supported by 3rd party keyboards, like the MIUI one(example)

Miui uses gboard.

JbcfNA3IUHxumZqxhdO5IefndfA2fgCIwRSO06W commented 4 years ago

It uses some Chinese Mi Keyboard. Facemoji keyboard or something similar. https://play.google.com/store/apps/details?id=com.facemoji.lite.xiaomi.gp https://play.google.com/store/apps/details?id=com.mint.keyboard

mpbw2 commented 4 years ago

The Xamarin team has confirmed this (the inability to disable predictive text during input) as a bug in Forms. We'll integrate their fix once it's available to us.

https://github.com/xamarin/Xamarin.Forms/issues/10857