github-starred/android
2
0
Fork 0
mirror of https://github.com/bitwarden/android.git synced 2026-06-09 16:21:19 -05:00
Code Issues 2.2k Packages Projects Releases 127 Wiki Activity

[GH-ISSUE #6887] Bitwarden silently resets your account settings every time you log out and log back in, without the user's knowledge - security problem. #116274

New Issue
Open
opened 2026-06-09 10:04:24 -05:00 by GiteaMirror · 9 comments
GiteaMirror commented 2026-06-09 10:04:24 -05:00
Owner
Copy Link

Originally created by @tdbe on GitHub (May 8, 2026).
Original GitHub issue: https://github.com/bitwarden/android/issues/6887

Steps To Reproduce

  • Install Bitwarden on a new device from google play store (tried google pixel 10 xl, android 16) (also tried android 13, samsung)
  • Log in (email, password, 2fa, remember me).
  • Set your settings: Other settings: Clear clipboard: 10s, Allow sync on refresh: true. Account Security: Session timeout: 1minute.
  • Then Lock, then Log out.
  • Then Log in again.
  • Your settings are now all reset to defaults.

Major security risk: user still thinks their clipboard will be cleared in 10s. Hands the phone to someone else tomorrow. The password is still in the clipboard. -- No matter what your agenda is, may I suggest you have a "clear clipboard on lock" with ON by Default??????? Most if not ALL open source password managers do this.

Expected Result

The settings are saved in the logged in account's settings page. This means the user expects the settings to be there when they log in. You should tie the settings to an ID generated by the device id + the user account.

The fact that you reset the settings on us without telling us, leads to major password leak issues as the user doesn't know the app no loonger locks or logs out immediately / according to their explicit settings. And also the clipboard is not cleared any more, without warning.

Actual Result

The settings are saved in the logged in account's settings page. This means the user expects the settings to be there when they log in. You should tie the settings to an ID generated by the device id + the user account.

The fact that you reset the settings on us without telling us, leads to major password leak issues as the user doesn't know the app no loonger locks or logs out immediately / according to their explicit settings. And also the clipboard is not cleared any more, without warning.

Screenshots or Videos

No response

Additional Context

No response

Build Version

Pixel 10 (app from mobileapp.bitwarden.com/fdroid/repo):

Version: 2026.4.0 (21434)
📱 google Pixel 10 XL 🤖 16@36 📦 prod -fdroid
🧱 commit: bitwarden/android/release/2026.4-rc50@61955d7cbe1546a4c467284b4a5491d4f0e47afa
💻 build source: bitwarden/android/actions/runs/23952219208/attempts/1
🦀 SDK: 2.0.0-5676-14521973
🌩 Server: 2026.4.1 @ US

Samsung tablet (app from google play store):

Version: 2026.4.0 (21434)
📱 samsung SM-T97x 🤖 13@33 📦 prod
🧱 commit: bitwarden/android/release/2026.4-rc50@61955d7cbe1546a4c467284b4a5491d4f0e47afa
💻 build source: bitwarden/android/actions/runs/23952219208/attempts/1
🦀 SDK: 2.0.0-5676-14521973
🌩 Server: 2026.4.1 @ US

What server are you connecting to?

US

Self-host Server Version

No response

Environment Details

Pixel 10 XL. Android 16.
Samsung, Android 13.

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
Originally created by @tdbe on GitHub (May 8, 2026). Original GitHub issue: https://github.com/bitwarden/android/issues/6887 ### Steps To Reproduce - Install Bitwarden on a new device from google play store (tried google pixel 10 xl, android 16) (also tried android 13, samsung) - Log in (email, password, 2fa, remember me). - Set your settings: `Other settings`: `Clear clipboard`: 10s, `Allow sync on refresh`: true. `Account Security`: `Session timeout`: 1minute. - Then Lock, then Log out. - Then Log in again. - Your settings are now all reset to defaults. Major security risk: user still thinks their clipboard will be cleared in 10s. Hands the phone to someone else tomorrow. The password is still in the clipboard. -- No matter what your agenda is, may I suggest you have a "clear clipboard on lock" with ON by Default??????? Most if not ALL open source password managers do this. ### Expected Result The settings are saved in the logged in account's settings page. This means the user expects the settings to be there when they log in. You should tie the settings to an ID generated by the device id + the user account. The fact that you reset the settings on us without telling us, leads to major password leak issues as the user doesn't know the app no loonger locks or logs out immediately / according to their explicit settings. And also the clipboard is not cleared any more, without warning. ### Actual Result The settings are saved in the logged in account's settings page. This means the user expects the settings to be there when they log in. You should tie the settings to an ID generated by the device id + the user account. The fact that you reset the settings on us without telling us, leads to major password leak issues as the user doesn't know the app no loonger locks or logs out immediately / according to their explicit settings. And also the clipboard is not cleared any more, without warning. ### Screenshots or Videos _No response_ ### Additional Context _No response_ ### Build Version Pixel 10 (app from mobileapp.bitwarden.com/fdroid/repo): Version: 2026.4.0 (21434) 📱 google Pixel 10 XL 🤖 16@36 📦 prod -fdroid 🧱 commit: bitwarden/android/release/2026.4-rc50@61955d7cbe1546a4c467284b4a5491d4f0e47afa 💻 build source: bitwarden/android/actions/runs/23952219208/attempts/1 🦀 SDK: 2.0.0-5676-14521973 🌩 Server: 2026.4.1 @ US Samsung tablet (app from google play store): Version: 2026.4.0 (21434) 📱 samsung SM-T97x 🤖 13@33 📦 prod 🧱 commit: bitwarden/android/release/2026.4-rc50@61955d7cbe1546a4c467284b4a5491d4f0e47afa 💻 build source: bitwarden/android/actions/runs/23952219208/attempts/1 🦀 SDK: 2.0.0-5676-14521973 🌩 Server: 2026.4.1 @ US ### What server are you connecting to? US ### Self-host Server Version _No response_ ### Environment Details Pixel 10 XL. Android 16. Samsung, Android 13. ### Issue Tracking Info - [x] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
GiteaMirror added the bugapp:password-manager labels 2026-06-09 10:04:25 -05:00
GiteaMirror commented 2026-06-09 10:04:25 -05:00
Author
Owner
Copy Link

@bitwarden-bot commented on GitHub (May 8, 2026):

Thank you for your report! We've added this to our internal board for review.
ID: PM-36883

<!-- gh-comment-id:4407342677 --> @bitwarden-bot commented on GitHub (May 8, 2026): Thank you for your report! We've added this to our internal board for review. ID: [PM-36883](https://bitwarden.atlassian.net/browse/PM-36883) [PM-36883]: https://bitwarden.atlassian.net/browse/PM-36883?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
GiteaMirror commented 2026-06-09 10:04:26 -05:00
Author
Owner
Copy Link

@SaintPatrck commented on GitHub (May 8, 2026):

@tdbe your reproduction steps include "Log Out". When a user logs out the expected behavior is to clear their account settings exactly like you're describing. The only exception to that is when the Session Timeout is set to Logout, which we consider a "soft logout", and we partially retain your settings (e.g. PIN, timeout action, and timeout interval).

Can you turn on Flight Recorded and leave it on until the behavior manifests again, as I requested in https://github.com/bitwarden/android/issues/6882? That will clearly indicate if/why LOGOUT is being performed, and why settings are being cleared. We're looking for the log line, logout reason=.... With that, we can tell definitively whether what you're experiencing is a true bug or one of the documented logout paths firing without an explicit user action.

<!-- gh-comment-id:4408418800 --> @SaintPatrck commented on GitHub (May 8, 2026): @tdbe your reproduction steps include "Log Out". When a user **logs out** the expected behavior is to clear their account settings exactly like you're describing. The only exception to that is when the Session Timeout is set to Logout, which we consider a "soft logout", and we partially retain your settings (e.g. PIN, timeout action, and timeout interval). Can you turn on Flight Recorded and leave it on until the behavior manifests again, as I requested in https://github.com/bitwarden/android/issues/6882? That will clearly indicate if/why LOGOUT is being performed, and why settings are being cleared. We're looking for the log line, `logout reason=...`. With that, we can tell definitively whether what you're experiencing is a true bug or one of the documented logout paths firing without an explicit user action.
GiteaMirror commented 2026-06-09 10:04:26 -05:00
Author
Owner
Copy Link

@tdbe commented on GitHub (May 8, 2026):

Here I describe the action of logging out manually on purpose by pressing the log out button. I point out it's a major UX misinformation. It's as if I log in to Whatsapp or Signal, make my phone number private, then log out and log in again and my phone number secretly became reset to public again without my knowledge. And you're saying this is on purpose. Well, if it's on purpose then you absulutely must at the very very very least clear the clipboard on lock as a default setting. And when the user logs in, show a popup saying Warning: your settings have been reset to defaults. No other app silently resets settings on you by design.

This "we silently delete your settings by design" functionality has 0 paths that aren't directly hurtful to the user, and 0 paths in which it is a security issue. As a matter of fact, deleting your security settings IS the security issue. The settings are part of your account + device id. they should always be applied when the account + device is present.

<!-- gh-comment-id:4409503325 --> @tdbe commented on GitHub (May 8, 2026): Here I describe the action of logging out manually on purpose by pressing the log out button. I point out it's a major UX misinformation. It's as if I log in to Whatsapp or Signal, make my phone number private, then log out and log in again and my phone number secretly became reset to public again without my knowledge. And you're saying this is on purpose. Well, if it's on purpose then you absulutely must at the very very very least clear the clipboard on lock as a default setting. And when the user logs in, show a popup saying **Warning:** **your settings have been reset to defaults**. No other app silently resets settings on you by design. This "we silently delete your settings by design" functionality has 0 paths that aren't directly hurtful to the user, and 0 paths in which it is a security issue. As a matter of fact, deleting your security settings IS the security issue. The settings are part of your account + device id. they should always be applied when the account + device is present.
GiteaMirror commented 2026-06-09 10:04:26 -05:00
Author
Owner
Copy Link

@pamperer562580892423 commented on GitHub (May 8, 2026):

Well, if it's on purpose then you absulutely must at the very very very least clear the clipboard on lock as a default setting.

Well, as it happens, this was just introduced for the browser extensions:

Image

 

I would like to see this in the other Bitwarden apps/clients too, as it really does make sense to have that minimal security safety net no matter what.

<!-- gh-comment-id:4409607157 --> @pamperer562580892423 commented on GitHub (May 8, 2026): > Well, if it's on purpose then you absulutely must at the very very very least clear the clipboard on lock as a default setting. Well, as it happens, [this was just introduced for the browser extensions](https://bitwarden.com/help/releasenotes/#2026-4-1): <img width="539" height="136" alt="Image" src="https://github.com/user-attachments/assets/c11f8181-4599-4112-93bb-87966a330cd0" /> &nbsp; I would like to see this in the other Bitwarden apps/clients too, as it really does make sense to have that minimal security safety net no matter what.
GiteaMirror commented 2026-06-09 10:04:26 -05:00
Author
Owner
Copy Link

@pamperer562580892423 commented on GitHub (May 8, 2026):

BTW, could you copy & paste the full version details from your BW Android app in here / or into your OP here? (Settings --> About --> Version)

<!-- gh-comment-id:4409804740 --> @pamperer562580892423 commented on GitHub (May 8, 2026): BTW, could you copy & paste the full version details from your BW Android app in here / or into your OP here? (Settings --> About --> Version)
GiteaMirror commented 2026-06-09 10:04:27 -05:00
Author
Owner
Copy Link

@tdbe commented on GitHub (May 8, 2026):

BTW, could you copy & paste the full version details from your BW Android app in here / or into your OP here? (Settings --> About --> Version)

I already put it under:

Build Version
2026.4.0 (21434)

<!-- gh-comment-id:4410134144 --> @tdbe commented on GitHub (May 8, 2026): > BTW, could you copy & paste the full version details from your BW Android app in here / or into your OP here? (Settings --> About --> Version) I already put it under: > Build Version > 2026.4.0 (21434)
GiteaMirror commented 2026-06-09 10:04:27 -05:00
Author
Owner
Copy Link

@pamperer562580892423 commented on GitHub (May 8, 2026):

BTW, could you copy & paste the full version details from your BW Android app in here / or into your OP here? (Settings --> About --> Version)

I already put it under:

Build Version
2026.4.0 (21434)

I meant the complete copy & paste content from the Android app (Settings --> About --> Version). It looks like this (freshly copied & pasted from my device):

© Bitwarden Inc. 2015-2026

Version: 2026.4.0 (21434)
📱 Fairphone FP5 🤖 15@35 📦 prod
🧱 commit: bitwarden/android/release/2026.4-rc50@61955d7cbe1546a4c467284b4a5491d4f0e47afa
💻 build source: bitwarden/android/actions/runs/23952219208/attempts/1
🦀 SDK: 2.0.0-5676-14521973
🌩 Server: 2026.4.1 @ EU

<!-- gh-comment-id:4410206806 --> @pamperer562580892423 commented on GitHub (May 8, 2026): > > BTW, could you copy & paste the full version details from your BW Android app in here / or into your OP here? (Settings --> About --> Version) > > I already put it under: > > > Build Version > > 2026.4.0 (21434) I meant the complete copy & paste content from the Android app (Settings --> About --> Version). It looks like this (freshly copied & pasted from my device): © Bitwarden Inc. 2015-2026 Version: 2026.4.0 (21434) 📱 Fairphone FP5 🤖 15@35 📦 prod 🧱 commit: bitwarden/android/release/2026.4-rc50@61955d7cbe1546a4c467284b4a5491d4f0e47afa 💻 build source: bitwarden/android/actions/runs/23952219208/attempts/1 🦀 SDK: 2.0.0-5676-14521973 🌩 Server: 2026.4.1 @ EU
GiteaMirror commented 2026-06-09 10:04:27 -05:00
Author
Owner
Copy Link

@JayX83 commented on GitHub (May 9, 2026):

It’d honestly be way better if user settings were saved to the cloud so whenever we log into our account everything is already there automatically. It’s a pain in the butt having to reconfigure everything every single time after logging out. Same thing happens with other settings too, especially under "Generator" where stuff like email forwarding settings and other configs keep getting reset as well.

<!-- gh-comment-id:4413413491 --> @JayX83 commented on GitHub (May 9, 2026): It’d honestly be way better if user settings were saved to the cloud so whenever we log into our account everything is already there automatically. It’s a pain in the butt having to reconfigure everything every single time after logging out. Same thing happens with other settings too, especially under "Generator" where stuff like email forwarding settings and other configs keep getting reset as well.
GiteaMirror commented 2026-06-09 10:04:28 -05:00
Author
Owner
Copy Link

@pamperer562580892423 commented on GitHub (May 9, 2026):

@JayX83 As much as I also like to tackle "features" (changes, requests etc.) here on GitHub, in connection to "bugs"... please bear in mind that Bitwarden uses GitHub (the "issue" sections) only for bug reports... "feature requests" are to be discussed / created / voted on on the Bitwarden Community Forum. (and therefore are mostly ignored here... 🤷🏻‍♂️)

As it happens, there is an existing feature request for being able to "sync settings": https://community.bitwarden.com/t/sync-bitwarden-settings-like-lock-after-x-minutes-or-pin/5203

<!-- gh-comment-id:4413604000 --> @pamperer562580892423 commented on GitHub (May 9, 2026): @JayX83 As much as I also like to tackle "features" (changes, requests etc.) here on GitHub, in connection to "bugs"... please bear in mind that Bitwarden uses GitHub (the "issue" sections) only for bug reports... "feature requests" are to be discussed / created / voted on on the [Bitwarden Community Forum]( https://community.bitwarden.com). (and therefore are mostly ignored here... 🤷🏻‍♂️) As it happens, there is an existing feature request for being able to "sync settings": https://community.bitwarden.com/t/sync-bitwarden-settings-like-lock-after-x-minutes-or-pin/5203
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
app:authenticator
app:password-manager
bug
bug-passkey
customer-support
duplicate
enhancement
good first issue
help wanted
needs-reply
needs-response
pull-request
Mirrored from GitHub Pull Request
 question
No Label app:password-manager bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/android#116274
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?