Open fmarier opened 2 years ago
FYI, we fixed the issue on NuFi web/extension's end this week - autocomplete is no longer triggered when entering the seed phrase during recovery. As pointed out in the forum thread, we recommend clearing the autocomplete history to wipe the wallet's seed phrase words stored by the browser's autocomplete while the bug was there
I have noticed that this shows up in other places. From what I can tell brave ignores the autocomplete="one-time-code" html tag on fields. This I have noticed means that TOTP MFA codes are being kept for sites that should be ignored as it removes the protection of MFA for that user until the code has expired.
https://community.brave.com/t/browser-saves-an-entered-seed-phrase-for-nufi-wallet-under-adresses-and-more-in-the-autofill-settings/424932
Users should of course reach out to the extension authors and point this bug out to them, but we should ideally do something about this in the browser too.
Possible mitigations:
Slack discussion: https://bravesoftware.slack.com/archives/C8MP8ME4C/p1660765334778059 (most details are copied here)