[GH-ISSUE #5226] Master password re-prompt does not prevent viewing of note content on Android #21491

New Issue

Closed

opened 2026-04-16 22:00:17 -05:00 by GiteaMirror · 6 comments

GiteaMirror commented 2026-04-16 22:00:17 -05:00

Owner

Copy Link

Originally created by @GideonBear on GitHub (May 20, 2025).
Original GitHub issue: https://github.com/bitwarden/android/issues/5226

Steps To Reproduce

1. Go to "My vault"
2. Click on "Secure note"
3. Click on "+"
4. Write a title and note
5. Click on "Additional options"
6. Enable "Master password re-prompt"
7. Click "Save"
8. Click the newly created note

Expected Result

The note content to be inaccessible before the master password is re-entered, in accordance to the "Master password re-prompt" option, and consistent with the browser extension.

Actual Result

The note content is visible without re-entering the master password. The master password is only required to edit the note.

Screenshots or Videos

No response

Additional Context

https://community.bitwarden.com/t/secure-notes-visible-in-view-even-when-master-pw-is-enabled-for-editing/47825/4

I believe this is a bug and not a feature request, because:

• The expected behavior is there on desktop
• The current behavior is obviously harmful to privacy
• The text "Master password re-prompt" does not convey that it is still possible to view the note, and this behavior can thus be unexpected for many users.

Even though this behavior is documented, not many people read this documentation.

Build Version

2025.4.0 (20100)

What server are you connecting to?

US

Self-host Server Version

No response

Environment Details

N/A

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

Originally created by @GideonBear on GitHub (May 20, 2025). Original GitHub issue: https://github.com/bitwarden/android/issues/5226 ### Steps To Reproduce 1. Go to "My vault" 2. Click on "Secure note" 3. Click on "+" 4. Write a title and note 5. Click on "Additional options" 6. Enable "Master password re-prompt" 7. Click "Save" 8. Click the newly created note ### Expected Result The note content to be inaccessible before the master password is re-entered, in accordance to the "Master password re-prompt" option, and consistent with the browser extension. ### Actual Result The note content is visible without re-entering the master password. The master password is only required to edit the note. ### Screenshots or Videos _No response_ ### Additional Context https://community.bitwarden.com/t/secure-notes-visible-in-view-even-when-master-pw-is-enabled-for-editing/47825/4 I believe this is a bug and not a feature request, because: - The expected behavior is there on desktop - The current behavior is obviously harmful to privacy - The text "Master password re-prompt" does not convey that it is still possible to view the note, and this behavior can thus be unexpected for many users. [Even though this behavior is documented](https://bitwarden.com/help/managing-items/#protect-individual-items), not many people read this documentation. ### Build Version 2025.4.0 (20100) ### What server are you connecting to? US ### Self-host Server Version _No response_ ### Environment Details N/A ### Issue Tracking Info - [x] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

GiteaMirror added the app:password-managerbug labels 2026-04-16 22:00:17 -05:00

GiteaMirror closed this issue 2026-04-16 22:00:18 -05:00

GiteaMirror commented 2026-04-16 22:00:18 -05:00

Author

Owner

Copy Link

@bitwarden-bot commented on GitHub (May 20, 2025):

Thank you for your report! We've added this to our internal board for review.
ID: PM-21803

<!-- gh-comment-id:2893469445 --> @bitwarden-bot commented on GitHub (May 20, 2025): Thank you for your report! We've added this to our internal board for review. ID: PM-21803

GiteaMirror commented 2026-04-16 22:00:18 -05:00

Author

Owner

Copy Link

@NovaSilentium commented on GitHub (May 20, 2025):

Duplicate of #5153

<!-- gh-comment-id:2893522519 --> @NovaSilentium commented on GitHub (May 20, 2025): Duplicate of #5153

GiteaMirror commented 2026-04-16 22:00:19 -05:00

Author

Owner

Copy Link

@NovaSilentium commented on GitHub (May 20, 2025):

Hi there!

Thank you for your report, it seems like it is a duplicate of this one https://github.com/bitwarden/android/issues/5153

If you wish to add any further information/screenshots/recordings etc., please feel free to do so at any time in there - our engineering team will be happy to review these.

This issue will now be closed.

Thanks

<!-- gh-comment-id:2893525203 --> @NovaSilentium commented on GitHub (May 20, 2025): Hi there! Thank you for your report, it seems like it is a duplicate of this one https://github.com/bitwarden/android/issues/5153 If you wish to add any further information/screenshots/recordings etc., please feel free to do so at any time in there - our engineering team will be happy to review these. This issue will now be closed. Thanks

GiteaMirror commented 2026-04-16 22:00:19 -05:00

Author

Owner

Copy Link

@GideonBear commented on GitHub (May 20, 2025):

Is it? #5153 is about the history of a hidden field being unprotected (but the hidden field is protected), my issue is about the default note field being unprotected.

<!-- gh-comment-id:2893533472 --> @GideonBear commented on GitHub (May 20, 2025): Is it? #5153 is about the history of a hidden field being unprotected (but the hidden field is protected), my issue is about the default note field being unprotected.

GiteaMirror commented 2026-04-16 22:00:19 -05:00

Author

Owner

Copy Link

@StellarGuardian commented on GitHub (May 22, 2025):

Please reopen this. It's not the same issue as #5153.
#5153 is about reprompt before accessing the password history in an item. This issue is about reprompt before accessing and viewing the item itself.

On other platforms (web app, browser extension etc.) you already have this behavior, i.e. the master password reprompt protects the entire item before you can enter it to view or edit anything.

But on the Android app the reprompt appear only when you edit the item or view hidden fields. The item and the note content which may include sensitive data is still accessable and visible without protection. There's no reason why the mobile version wouldn't work in a consistent way with other platforms.

<!-- gh-comment-id:2902108192 --> @StellarGuardian commented on GitHub (May 22, 2025): Please reopen this. It's not the same issue as #5153. #5153 is about reprompt before accessing the password history in an item. This issue is about reprompt before accessing and viewing the item itself. On other platforms (web app, browser extension etc.) you already have this behavior, i.e. the master password reprompt protects the entire item before you can enter it to view or edit anything. But on the Android app the reprompt appear only when you edit the item or view hidden fields. The item and the note content which may include sensitive data is still accessable and visible without protection. There's no reason why the mobile version wouldn't work in a consistent way with other platforms.

GiteaMirror commented 2026-04-16 22:00:20 -05:00

Author

Owner

Copy Link

@GideonBear commented on GitHub (May 22, 2025):

@StellarGuardian if this isn't re-opened within a few days I will create a new issue

<!-- gh-comment-id:2902180699 --> @GideonBear commented on GitHub (May 22, 2025): @StellarGuardian if this isn't re-opened within a few days I will create a new issue

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

agalles/fdroid-only

sdlc/sdk-update

remove-retrofit-dependency

release/hotfix-v2026.4.1-bwpm

beta-for-qa

target-sdk-37

PM-33982/build-device-screen

new-item-types/PM-32806_passport

new-item-types/PM-32808_drivers-license

BWA-99/show-next-totp

BWA-99/add-preview-next-totp-code-setting

renovate/glidecompose

sync-min-sdk

release/2026.4-rc51

fix/security-sast-22741894-bvwj

related-origin-passkey-creation

release/2026.4-rc50

platform/android-breaking-change-detection

innovation-sprint-2026-send-folder

release/2026.3-rc49

PM-34193-vault-lockout

android-collections

llm/add-resolving-sdk-updates-skill

QA-1523/sanity-test-saucelabs

release/2026.3-rc48

PM-26577-app-links-support

PM-26896-autofill-fix

release/2026.2-rc47

pr-6572

release/2026.2-rc46

release/2026.1-rc45

PM-30644/added-logs-for-debug

PM-30644/quicktile-nav-not-showing-migration

minor-gradle-updates

release/2026.1-rc42

release/2026.1-rc44

release/2026.1-rc43

PM-28834/set-landscape-on-horizonos-devices

PM-28468/validate-and-navigate-to-vault-migration

PM-20026/force-ltr-passwords-and-codes

release/2025.12-rc41

cmcg/testCoverage

PM-29014/talkback-support-for-passwords

release/2025.12-rc40

BRE-1305/publish_test

accept-user-certs

autofill-permissions

release/2025.11-rc39

PM-22479/check-all-certificates-validate-asset-links

release/2025.10-rc38

agalles/android-latest

retro-agent

PM-27001/skip-account-selection-only-one-exists-cxp

release/2025.10-rc37

agalles/test-1118

release/2025.10-rc36

PM-20593-token-refresh

QA-1126b/adding-native-sanity-test

release/2025.9-rc35

pm-25933/sdk-update-password

release/2025.9-rc34

release/2025.8-rc33

agalles/20250821-release

debug-release-issues

pm-24249-allow-automated-prs-for-sdk-updates

release/2025.8-rc32

release/WORKFLOW-TEST-2025.8-rc28

agalles/20250807release

release/2025.07-rc25

release/hotfix-v2025.7.0-bwa

pm-23311/export-vault-policy-bypass

release/2025.07-rc24

authenticator-pm-sync-flags-issue

release/hotfix-v2025.6.0-bwpm

release/2025.06-rc21

agalles/automate-android-fastlane-patch

release/2025.05-rc20

release/2025.04-rc19

languages/basque

release/2025.03-rc19

update-readme

qrcode/feature

innovation/archive/pm-19153-archive-items

qrcode/2-ui-fields

qrcode/1-page

hold-on-biometric-prompt-alternative

release-notes-process

release/2025.02-rc16

bwa-monorepo

PM-8223/new-device-verification-ux-improvements

pm-18451/exempt-from-policies

test-bwa

release/2025.01-rc15

release/2025.01-rc14

release/2024.12-rc13

pm-16670/sync-leave-notice

821

PM-16695/backport-lean-more-new-device-verification

release/hotfix-v2024.11.7

release/2024.11-rc1

pm-11304/collection-add-item-button

PM-14241/disabling-logs-app-crash

poc/offline-editing

new-version-calc

pm-11649/expired-link-services

pm-6702/add-feature-flag

pm-6702/email-verification-feature

pm-9933/marketing-copy-update

pm-6702/registration-flows

update-templates

pm-6701/email-verification-selfhost-registration

v2026.4.1-bwa

v2026.4.1-bwpm

v2026.4.0-bwa

v2026.4.0-bwpm

v2026.3.1-bwa

v2026.3.1-bwpm

v2026.3.0-bwpm

v2026.3.0-bwa

v2026.2.1-bwpm

v2026.2.1-bwa

v2026.2.0-bwpm

v2026.2.0-bwa

v2026.1.1-bwa

v2026.1.1-bwpm

temp-test

v2026.1.0-bwpm

v2026.1.0-bwa

v2025.12.1-bwa

v2025.12.1-bwpm

v2025.12.0-bwa

v2025.12.0-bwpm

v2025.11.1-bwpm

v2025.11.1-bwa

v2025.11.0-bwpm

v2025.11.0-bwa

v2025.10.1-bwa

v2025.10.1-bwpm

v2025.10.0-bwa

v2025.10.0-bwpm

v2025.9.1-bwa

v2025.9.1-bwpm

v2025.9.0-bwa

v2025.9.0-bwpm

v2025.8.1-bwa

v2025.8.1-bwpm

v2025.8.0-bwa

v2025.8.0-bwpm

v2025.7.2-bwa

v2025.7.2-bwpm

v2025.7.1-bwa

v2025.7.1-bwpm

v2025.7.0-bwa

v2025.7.0-bwpm

v2025.6.1-bwpm

v2025.6.0-bwa

v2025.6.0-bwpm

v2025.1.0-bwa

v2025.5.0-bwa

v2025.5.0-bwpm

v2025.5.999

2025.4.0

v2025.4.0

untagged-4731eaadac73f3dfbbb8

v2025.3.0

v2025.2.0

untagged-815a165c5d70ffe75bc7

v2025.1.2

v2025.1.1

v2025.1.0

v2024.12.0

untagged-5a76b6392a4c8998c63a

v2024.11.7

v2024.11.6

v2024.11.5

v2024.11.4

v2024.11.3

v2024.11.2

v2024.11.1

v2024.11.0

v2024.10.2

v2024.10.1

v2024.10.0

v2024.9.0

v2024.8.1

v2024.8.0

v2024.7.3

v2024.7.2

v2024.7.1

v2024.7.0

v2024.6.1

v2024.6.0

v2024.5.1

v2024.4.1

v2024.4.2

v2024.4.0

v2024.3.3

v2024.3.1

v2024.3.0

v2024.2.1

v2024.2.0

v2024.1.1

v2024.1.0

v2023.12.0

v2023.10.0

v2023.9.2

maui-single-project-android

v2023.9.1

v2023.9.0

v2023.8.0

v2023.7.0

v2023.5.0

v2023.4.0

v2023.3.2

v2023.3.1

v2023.3.0

v2023.2.0

v2023.1.0

v2022.11.0

v2022.10.0

v2022.9.1

v2022.9.0

v2022.8.0

v2022.6.2

v2022.6.1

v2022.6.0

v2022.05.0

v2.18.0

v2.17.0

v2.16.4

v2.16.3

v2.16.2

v2.16.1

v2.15.0

v2.14.2

v2.14.1

v2.14.0

v2.13.0

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.0

v2.9.1

v2.9.0

v2.8.2

v2.8.1

v2.8.0

v2.7.2

v2.7.0

v2.6.1

v2.6.0

v2.5.6

v.2.5.5

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.1

v2.3.0

v2.2.8

v2.2.7

v2.2.6

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.0

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.22.1

v1.22.0

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.0

v1.16.0

v1.15.2

v1.15.1

v1.15.0

v1.14.4

v1.14.1

v1.14.0

v1.13.0

v1.12.2

v1.12.1

v1.12.0

v1.11.1

v1.11.0

v1.10.0

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.5

v1.6.1

v1.6.0

v1.5.1

v1.5.0

v1.4.4

v1.4.3

v1.4.0

v1.3.0

v1.2.1

v1.2.0

v1.1.0

v1.0.0

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels

app:authenticator

app:password-manager

bug

bug-passkey

customer-support

duplicate

enhancement

good first issue

help wanted

needs-reply

needs-response

pull-request

Mirrored from GitHub Pull Request

question

No Label app:password-manager bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/android#21491