When enrolled in passcode protection, the autofill extension currently calls the success callback even if a passcode/FaceID is not successfully verified.
In the case that the PGP key passphrase is stored, this additionally results in password decryption without further user interaction.
For the case that passcode protection is enabled, the fix is to only decrypt passwords upon successful passcode / FaceID verification.
Passcode / FaceID bypass in autofill extension
Fixes: #537 Fixes: #568
Summary
When enrolled in passcode protection, the autofill extension currently calls the success callback even if a passcode/FaceID is not successfully verified.
In the case that the PGP key passphrase is stored, this additionally results in password decryption without further user interaction.
For the case that passcode protection is enabled, the fix is to only decrypt passwords upon successful passcode / FaceID verification.