Autofill security bug on ios: User accounts saved in vault exposed before vault unlocked

Ask the Community Password Manager
1

I’m not sure if this is the correct place to post the following, however I have reported to bitwarden what I consider a relatively serious bug, which has been confirmed by their team, but has not yet been patched, after a couple months, as far as I can tell. I would like to know if others are able to produce this bug.

Environment: ios 13, safari browser (tested on iphone and ipad)

Situation: navigate to any website which you have user accounts saved (eg. google.com), and navigate to the login screen, click on on the user/password field, at which point the password manager will be activated (this might behave slightly differently depending on if you have enabled autofill enabled). Since I have autofill enabled, if will show me a list of all the user accounts saved to my vault that are associated with this url.

Hopefully, I don’t have to point out why is an undesirable security/privacy bug.

2

Report this as an issue on Github. Click the link below, select the platform. Press issue and enter the information. I cannot confirm this as I am an Android user. This is the best place to post something like this.

3

@bwq welcome!

Couple of items:

  1. @vachan is right, GitHub is the best place to post bug reports :slight_smile:

  2. It’s early-ish for me, so I may be reading it wrong (coffee hasn’t kicked in) - but this simply sounds like our standard URI matching for accounts (we prompt you for all applicable accounts for the website, so you can pick which one you’d like to log in with) - which you can disable by setting the item’s URI matching function to “never”.

  3. If I am way off base, can you let me know the ticket number from your conversation with our CS team? I’d like to check on it to make sure it has traction, as we are pretty determined to handle any security-related bugs “quick, fast, and in a hurry!”.

Thanks!

4

Are you sure this is BW adding your login and password? Or is it Apple Keychain? I bet it is the latter and you are just confused. It would be helpful if you added a screen capture and steps to reproduce this.