Issue: After configuring a “PIN to unlock” on the iOS app, a user can navigate to the login page of website in Safari, prompting a password autofill from Bitwarden. A Bitwarden page pops up to verify the PIN. After entering an incorrect PIN, a message box appears stating “An error has occurred. PIN” and the user taps “OK” to dismiss and try again. After five incorrect pins, the Bitwarden verification page disappears and the user is back at the Safari page, which again prompts for a password autofill from Bitwarden. The user can then repeat this process without being forced to log out. This means that an attacker has unlimited tries to guess the pin, which can then be used to unlock the entire Vault through the Bitwarden app.
Request: Automatically log out of Bitwarden after multiple failed PIN attempts during an autofill event within a browser. (Bitwarden already does this after multiple failed PIN attempts through the Bitwarden iOS app.)
Environment:
Bitwarden iOS app: version 2.2.1 (55)
iOS: 12.4.1