github-starred/android
2
0
Fork 0
mirror of https://github.com/bitwarden/android.git synced 2026-03-17 10:04:05 -05:00
Code Issues 144 Packages Projects Releases 116 Wiki Activity

Security issue when unlocking the vault via app. #1001

New Issue
Closed
opened 2025-11-26 22:36:15 -06:00 by GiteaMirror · 7 comments
GiteaMirror commented 2025-11-26 22:36:15 -06:00
Owner
Copy Link

Originally created by @vishalnandagopal on GitHub (May 4, 2020).

Originally assigned to: @mpbw2 on GitHub.

Describe the Bug

When you are entering the app, and it asks for the master password, there is an option to unhide password while typing it.(the 'eye' logo). it is hidden by default. So when you type the password, the keyboard app on your phone doesn't provide auto type predictions since it is being recognised as an password filed. But when you unhide the password and look at it, the keyboard app provides sugesstions. Which means when you unhide it, it is becoming a normal text field. Apps like GBoard and swiftkey collect all things you type except in password fields, so for all users who have used the 'see password', the keyboard has recorded it and stored in the servers.

Steps To Reproduce

  1. Open app
  2. Proceed to enter password, but with unhide password option on.
  3. You will see the keyboard suggesting words.

Expected Result

The keyboard should not suggest the next words, since it is a password.

Actual Result

It suggests the auto type words.

Environment

  • Device: Redmi
  • Operating system: Android 10
  • Build Version (go to "Settings" → "About" in the app): [e.g. 2.3.1 (2257)]
  • Is this a Beta release? F-Droid release.

Please notify users to change password at your discretion, since it has recorded the password.
Also, please please please interchange the logout and unlock option. UI flow is not maintained throughout the system.

Originally created by @vishalnandagopal on GitHub (May 4, 2020). Originally assigned to: @mpbw2 on GitHub. ## Describe the Bug When you are entering the app, and it asks for the master password, there is an option to unhide password while typing it.(the 'eye' logo). it is hidden by default. So when you type the password, the keyboard app on your phone doesn't provide auto type predictions since it is being recognised as an password filed. But when you unhide the password and look at it, the keyboard app provides sugesstions. Which means when you unhide it, it is becoming a normal text field. Apps like GBoard and swiftkey collect all things you type except in password fields, so for all users who have used the 'see password', the keyboard has recorded it and stored in the servers. ## Steps To Reproduce 1. Open app 2. Proceed to enter password, but with unhide password option on. 3. You will see the keyboard suggesting words. ## Expected Result The keyboard should not suggest the next words, since it is a password. ## Actual Result It suggests the auto type words. ## Environment - Device: Redmi - Operating system: Android 10 - Build Version (go to "Settings" → "About" in the app): [e.g. 2.3.1 (2257)] - Is this a Beta release? F-Droid release. Please notify users to change password at your discretion, since it has recorded the password. Also, please please please interchange the logout and unlock option. UI flow is not maintained throughout the system.
GiteaMirror commented 2025-11-26 22:36:16 -06:00
Author
Owner
Copy Link

@kspearrin commented on GitHub (May 4, 2020):

@mportune-bw Shouldn't our IME options be stopping this from occuring? https://github.com/bitwarden/mobile/blob/master/src/Android/Renderers/CustomEntryRenderer.cs#L23-L24

@kspearrin commented on GitHub (May 4, 2020): @mportune-bw Shouldn't our IME options be stopping this from occuring? https://github.com/bitwarden/mobile/blob/master/src/Android/Renderers/CustomEntryRenderer.cs#L23-L24
GiteaMirror commented 2025-11-26 22:36:16 -06:00
Author
Owner
Copy Link

@vishalnandagopal commented on GitHub (May 4, 2020):

I'm sorry. I don't know what that is. Don't know coding.

In case you are referring to incognito mode of some keyboard app, not all keyboards have it.

@vishalnandagopal commented on GitHub (May 4, 2020): I'm sorry. I don't know what that is. Don't know coding. In case you are referring to incognito mode of some keyboard app, not all keyboards have it.
GiteaMirror commented 2025-11-26 22:36:16 -06:00
Author
Owner
Copy Link

@the4anoni commented on GitHub (May 10, 2020):

I'm sorry. I don't know what that is. Don't know coding.

In case you are referring to incognito mode of some keyboard app, not all keyboards have it.

But gboard has incognito mode.

@the4anoni commented on GitHub (May 10, 2020): > I'm sorry. I don't know what that is. Don't know coding. > > In case you are referring to incognito mode of some keyboard app, not all keyboards have it. But gboard has incognito mode.
GiteaMirror commented 2025-11-26 22:36:17 -06:00
Author
Owner
Copy Link

@vishalnandagopal commented on GitHub (May 17, 2020):

Yes, but not every keyboard has that.
every keyboard respects the password field and doesnt log the words typed.
Incognito is not supported by 3rd party keyboards, like the MIUI one(example)

@vishalnandagopal commented on GitHub (May 17, 2020): Yes, but not every keyboard has that. every keyboard respects the password field and doesnt log the words typed. Incognito is not supported by 3rd party keyboards, like the MIUI one(example)
GiteaMirror commented 2025-11-26 22:36:17 -06:00
Author
Owner
Copy Link

@the4anoni commented on GitHub (May 18, 2020):

Yes, but not every keyboard has that.
every keyboard respects the password field and doesnt log the words typed.
Incognito is not supported by 3rd party keyboards, like the MIUI one(example)

Miui uses gboard.

@the4anoni commented on GitHub (May 18, 2020): > Yes, but not every keyboard has that. > every keyboard respects the password field and doesnt log the words typed. > Incognito is not supported by 3rd party keyboards, like the MIUI one(example) Miui uses gboard.
GiteaMirror commented 2025-11-26 22:36:17 -06:00
Author
Owner
Copy Link

@vishalnandagopal commented on GitHub (May 19, 2020):

It uses some Chinese Mi Keyboard. Facemoji keyboard or something similar.
https://play.google.com/store/apps/details?id=com.facemoji.lite.xiaomi.gp
https://play.google.com/store/apps/details?id=com.mint.keyboard

@vishalnandagopal commented on GitHub (May 19, 2020): It uses some Chinese Mi Keyboard. Facemoji keyboard or something similar. https://play.google.com/store/apps/details?id=com.facemoji.lite.xiaomi.gp https://play.google.com/store/apps/details?id=com.mint.keyboard
GiteaMirror commented 2025-11-26 22:36:17 -06:00
Author
Owner
Copy Link

@mpbw2 commented on GitHub (May 26, 2020):

The Xamarin team has confirmed this (the inability to disable predictive text during input) as a bug in Forms. We'll integrate their fix once it's available to us.

https://github.com/xamarin/Xamarin.Forms/issues/10857

@mpbw2 commented on GitHub (May 26, 2020): The Xamarin team has confirmed this (the inability to disable predictive text during input) as a bug in Forms. We'll integrate their fix once it's available to us. https://github.com/xamarin/Xamarin.Forms/issues/10857
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
app:authenticator
app:password-manager
bug
bug-passkey
customer-support
duplicate
enhancement
good first issue
help wanted
needs-reply
needs-response
pull-request
Mirrored from GitHub Pull Request
 question
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/android#1001
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?