On iOS, with autofill enabled and the vault locked, when I tap into a login field, I get a popup at the bottom that says
password for this website
< Username >
If I touch the popup, I get presented by the BW unlock option (face, pin, password, etc) and then my username and password get filled in.
The problem is that many many sites now separate the username entry and the password entry into separate pages/screens. This means that I have to fill-in and thus unlock twice.
touch username field
touch autofill popup
unlock BW
username filled in
screen refreshes
touch password field
touch autofill popup
unlock BW
password filled in
That’s annoying even with FaceID. It’s miserable if you unlock with your password.
FEATURE REQUEST:
Since BW does not consider the username a secret and since it can present it without unlocking the vault, can the username be filled without unlocking the vault?
… Hmmm… I’m not exactly sure what I’m seeing there… and what exactly provides the “username suggestions” on iOS with the BW mobile app then… according to this recent explanation by @grb in a similar feature request, I would think it can’t be the locked mobile BW app that creates those suggestions…
To be sure, log in to the Bitwarden Web Vault, and temporarily change your github.com username from dpantel to dpantel-bw. Then, go back to your iPhone and try to autofill your Github username while the Bitwarden mobile app remains locked — do you now see the dpantel-bw username or the dpantel username (or something else) at the prompt that you screenshotted above?
@dpantel OK, thanks. However, please open your Bitwarden app, and confirm that it is actually locked. If you don’t see the unlock prompt, go to Settings > Account Security, and click “Lock now”. Please post a screenshot of the locked app (after redacting your email address), then repeat the test to see if you are offered the username dpantel-bw; please post a screenshot of that, as well.
Basically, I’m wondering if the unlock prompts that you see while autofilling are popping up un-necessarily (due to some bug), even it the app is actually already unlocked. That would explain why the username could be visible.
The reason I ask for the two screenshots (lock screen and autofill showing username) is that if what you are describing is correct, then you may have discovered a bug that would be a serious security vulnerability. I would like to definitively rule out other possibilities before making such a conclusion.
Typically, forum users would use an image editor to erase or obfuscate personal information before posting a screenshot.
I don’t use the iOS app, so I cannot test this myself. IMO, this falls under the category “extraordinary claims require extraordinary evidence”, so I will likely continue to believe there is some alternative explanation for your observations. If you believe otherwise, I would recommend that you file a report on Github — or, preferrably, on HackerOne (since it appears to be a serious security issue if reproducible).
