brave / brave-browser

Brave browser for Android, iOS, Linux, macOS, Windows.
https://brave.com
Mozilla Public License 2.0
18k stars 2.36k forks source link

Password Manager requires authentication only once and then reveals the passwords until application restart #32194

Open AnK26-616 opened 1 year ago

AnK26-616 commented 1 year ago

Description

To show the stored passwords, Brave Password Manager requires user authentication - which is good. However it asks for that only once. After user provides the credentials (e.g. via Windows Hello) all the passwords are accessible without any further authentication / prompt until the application is restarted. That leaves all the password easily readable for anyone accessing the computer. Closing tab, waiting couple of minutes, locking machine - does not affect that state. Once authenticated, Password Manager seems to stay in that mode forever. This issue is present only in the (Windows) Desktop version (1.56.20) but not in the equivalent Android one.

Steps to Reproduce

  1. Go to 'Settings'
  2. Choose 'Autofill and passwords'
  3. Click on any passwords stored there to reveal / edit it.
  4. If you have not done that before (since the app was restarted) you will be asked for credentials.
  5. Leave the settings tab or wait a few mins or close the tab or lock/unlock machine or both
  6. Repeat steps 1-3
  7. Brave will not ask for the authentication any more.

Actual result:

No specific screenshots can be provided. Passwords are revealed every time user clicks on them without additional authentication (assuming it was already done once for the "session").

Expected result:

Brave should ask for user authentication every time user tries to reveal any password or at least every time the Password Manager is accessed. Or simply put Brave Password Manager on the Windows desktop version should behave the same way as on the Android.

Reproduces how often:

Easily reproduced

Brave version (brave://version info)

Brave | 1.56.20 Chromium: 115.0.5790.171 (Official Build) (64-bit) Revision | cf9067bf10d8f798c24643029af1d24e275646d6-refs/branch-heads/5790@{#1924} OS | Windows 11 Version 22H2 (Build 22621.2134)

Version/Channel Information:

The Beta version of the Brave desktop (I think 1.57.20) browser behaves the same way. Nightly channel was not tested. The production version of Android browser (1.56.20) behaves properly asking for permissions / user authentication every time the password is displayed.

Other Additional Information:

Shields, rewards do not seem to impact this issue at all.

Miscellaneous Information:

None

AnK26-616 commented 1 year ago

For the 'Expected results' - the solution might be also to create an option to define after how many minutes the Password Manager is locked. The same way as it is implemented for Brave Wallet.

AnK26-616 commented 1 year ago

Plus one more update: Brave seems to properly "forget" the credentials given to open Password Manager after long time (long means e.g. next day). Still when tested in "lets try after 10 minutes" mode - it does not work properly as described.