Hello, it seems that if you ask to see the content of the password field during login, the spell checker analyse the field. Is it a possible leak of the main password through the spell checker? Thank you
Perhaps you should figure out a way to live without that spell checker.
Or check if it at least has an option not to be nosy around password fields.
It seems embedded by default. Maybe Chrome detects it and then use it.
Which OS and exact password field (Bitwarden master password or website password) are you referring to?
For example, on my macOS Bitwarden Chrome extension, password fields are usually set to disable spellcheck, etc.
Looking at a snippet of HTML for master password:
... name="MasterPassword" required="" autocomplete="off" autocapitalize="none" autocorrect="none" spellcheck="false" ...
It happens on the desktop app on Linux. Have to test on Windows. And it’s the Bitwarden master password.
Okay. I am also able to reproduce this on Desktop app.
Enabling developer tools, I see that the
"spellcheck" attribute is not set for Desktop App, which probably means it uses default setting (in this particular case, it is enabled).
Some more technical details:
I think Bitwarden Desktop uses an
appAutofocus directive, which doesn’t really set much:
On the other hand, the Bitwarden browser extension uses the
appInputVerbatim directive, which disables spellcheck and so on.
Does appAutofocus and appInputVerbatim can coexist?
Probably. At least both are used together in one HTML tag for browser extension:
There are various locations that the browser extension adds
appInputVerbatim directive. All corresponding HTML files should probably be checked to see if the directive should be ported to Desktop App.
It may be worth opening a GitHub issue at Issues · bitwarden/desktop · GitHub to get input from developers as this is closer to a bug than a feature request.
Issue opened: Possible leak of password due to spell checker · Issue #842 · bitwarden/desktop · GitHub
Thanks for all the research already done!