Logout after multiple PIN attempts during autofill

app:mobile

#1

Issue: After configuring a “PIN to unlock” on the iOS app, a user can navigate to the login page of website in Safari, prompting a password autofill from Bitwarden. A Bitwarden page pops up to verify the PIN. After entering an incorrect PIN, a message box appears stating “An error has occurred. PIN” and the user taps “OK” to dismiss and try again. After five incorrect pins, the Bitwarden verification page disappears and the user is back at the Safari page, which again prompts for a password autofill from Bitwarden. The user can then repeat this process without being forced to log out. This means that an attacker has unlimited tries to guess the pin, which can then be used to unlock the entire Vault through the Bitwarden app.

Request: Automatically log out of Bitwarden after multiple failed PIN attempts during an autofill event within a browser. (Bitwarden already does this after multiple failed PIN attempts through the Bitwarden iOS app.)

Environment:
Bitwarden iOS app: version 2.2.1 (55)
iOS: 12.4.1


Detect changed biometrics/fingerprint and re-prompt for master password
#2

I also see bit warden frequently autoentering password on non-login pages, like user profiles where Bitwarden nukes NEW PASSWORD, OLD PASSWORD and every other field on the page. I never experienced this with 1 Password’s autofill feature so clearly this can be executed properly and really needs improvement in Bitwarden.