[GH-ISSUE #631] Possible Security Hole: Entering Master Password with "Show Password" On Triggers Word Suggestions #37817

New Issue

Closed

opened 2026-04-23 15:35:03 -05:00 by GiteaMirror · 2 comments

GiteaMirror commented 2026-04-23 15:35:03 -05:00

Owner

Copy Link

Originally created by @adamsmd on GitHub (Oct 18, 2019).
Original GitHub issue: https://github.com/bitwarden/android/issues/631

When entering the master password, clicking the eye icon to show the password, changes the keyboard to include word suggestions / text prediction. (This may also apply to other places with the "show password" option.) My concern is that this might also cause the keyboard to use what the user types (in this case his or her password) to train word suggestions / text prediction.

However, I don't know enough about mobile platforms to know under what conditions the user's input is used for training, so I might wrong about this being a security hole. I would be grateful for any information about this.

I note that the code toggles the IsPassword property to control whether to show the password. The fix might be as simple as also setting IsTextPredictionEnabled to false on the text control. Though again this depends on exactly what controls whether user input is used for training word suggest / text predictions.

Tested On

• Android (Lineage) version 9
• BitWarden version 2.1.1

Steps to Reproduce:

1. Logout of BitWarden and then start BitWarden so you are on the "Verify Master Password" screen.
2. Click the "eye" icon so the password is shown.
3. Click in the text box so they on-screen keyboard appears.
4. Start typing a password.

Result

• The on-screen keyboard displays word suggestions and text completions based on the typed password.

Vulnerabilities:

1. If word suggest involves querying outside services (I don't know if this is the case), this results in sending the thus far typed password to those outside services.
2. If the typed password is used to train word suggest (I don't know if this is the case), this results in information about the password being stored in that training data.
3. If the user selects one of those suggestions and that fact is used to train word suggest (I don't know if this is the case), this results in information about the password being stored in that training data.

Originally created by @adamsmd on GitHub (Oct 18, 2019). Original GitHub issue: https://github.com/bitwarden/android/issues/631 When entering the master password, clicking the eye icon to show the password, changes the keyboard to include word suggestions / text prediction. (This may also apply to other places with the "show password" option.) My concern is that this might also cause the keyboard to use what the user types (in this case his or her password) to train word suggestions / text prediction. However, I don't know enough about mobile platforms to know under what conditions the user's input is used for training, so I might wrong about this being a security hole. I would be grateful for any information about this. I note that the code toggles the `IsPassword` property to control whether to show the password. The fix might be as simple as also setting `IsTextPredictionEnabled` to false on the text control. Though again this depends on exactly what controls whether user input is used for training word suggest / text predictions. ### Tested On - Android (Lineage) version 9 - BitWarden version 2.1.1 ### Steps to Reproduce: 1. Logout of BitWarden and then start BitWarden so you are on the "Verify Master Password" screen. 2. Click the "eye" icon so the password is shown. 3. Click in the text box so they on-screen keyboard appears. 4. Start typing a password. ### Result - The on-screen keyboard displays word suggestions and text completions based on the typed password. ### Vulnerabilities: 1. If word suggest involves querying outside services (I don't know if this is the case), this results in sending the thus far typed password to those outside services. 2. If the typed password is used to train word suggest (I don't know if this is the case), this results in information about the password being stored in that training data. 3. If the user selects one of those suggestions and that fact is used to train word suggest (I don't know if this is the case), this results in information about the password being stored in that training data.

GiteaMirror closed this issue 2026-04-23 15:35:03 -05:00

GiteaMirror commented 2026-04-23 15:35:04 -05:00

Author

Owner

Copy Link

@kspearrin commented on GitHub (Oct 20, 2019):

This is why we set the ImeOptions for all input fields in Bitwarden to NoPersonalizedLearning (i.e. incognito keyboard). Are you actually seeing learning occurring?

https://github.com/bitwarden/mobile/blob/master/src/Android/Renderers/CustomEntryRenderer.cs#L23

<!-- gh-comment-id:544210598 --> @kspearrin commented on GitHub (Oct 20, 2019): This is why we set the `ImeOptions` for all input fields in Bitwarden to `NoPersonalizedLearning` (i.e. incognito keyboard). Are you actually seeing learning occurring? https://github.com/bitwarden/mobile/blob/master/src/Android/Renderers/CustomEntryRenderer.cs#L23

GiteaMirror commented 2026-04-23 15:35:04 -05:00

Author

Owner

Copy Link

@adamsmd commented on GitHub (Oct 20, 2019):

I wasn't aware of the NoPersonalizedLearning setting. I am not actually seeing learning occurring. I am closing this issue as that setting means I was wrong about there possibly being a security hole here.

<!-- gh-comment-id:544271987 --> @adamsmd commented on GitHub (Oct 20, 2019): I wasn't aware of the `NoPersonalizedLearning` setting. I am not actually seeing learning occurring. I am closing this issue as that setting means I was wrong about there possibly being a security hole here.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

new-item-types/PM-32810_bank-account

release/hotfix-v2026.4.1-bwpm

beta-for-qa

target-sdk-37

PM-33982/build-device-screen

new-item-types/PM-32806_passport

new-item-types/PM-32808_drivers-license

BWA-99/show-next-totp

BWA-99/add-preview-next-totp-code-setting

renovate/glidecompose

sync-min-sdk

release/2026.4-rc51

fix/security-sast-22741894-bvwj

related-origin-passkey-creation

release/2026.4-rc50

platform/android-breaking-change-detection

innovation-sprint-2026-send-folder

release/2026.3-rc49

PM-34193-vault-lockout

android-collections

llm/add-resolving-sdk-updates-skill

QA-1523/sanity-test-saucelabs

release/2026.3-rc48

PM-26577-app-links-support

PM-26896-autofill-fix

release/2026.2-rc47

pr-6572

release/2026.2-rc46

release/2026.1-rc45

PM-30644/added-logs-for-debug

PM-30644/quicktile-nav-not-showing-migration

minor-gradle-updates

release/2026.1-rc42

release/2026.1-rc44

release/2026.1-rc43

PM-28834/set-landscape-on-horizonos-devices

PM-28468/validate-and-navigate-to-vault-migration

PM-20026/force-ltr-passwords-and-codes

release/2025.12-rc41

cmcg/testCoverage

PM-29014/talkback-support-for-passwords

release/2025.12-rc40

BRE-1305/publish_test

accept-user-certs

autofill-permissions

release/2025.11-rc39

PM-22479/check-all-certificates-validate-asset-links

release/2025.10-rc38

agalles/android-latest

retro-agent

PM-27001/skip-account-selection-only-one-exists-cxp

release/2025.10-rc37

agalles/test-1118

release/2025.10-rc36

PM-20593-token-refresh

QA-1126b/adding-native-sanity-test

release/2025.9-rc35

pm-25933/sdk-update-password

release/2025.9-rc34

release/2025.8-rc33

agalles/20250821-release

debug-release-issues

pm-24249-allow-automated-prs-for-sdk-updates

release/2025.8-rc32

release/WORKFLOW-TEST-2025.8-rc28

agalles/20250807release

release/2025.07-rc25

release/hotfix-v2025.7.0-bwa

pm-23311/export-vault-policy-bypass

release/2025.07-rc24

authenticator-pm-sync-flags-issue

release/hotfix-v2025.6.0-bwpm

release/2025.06-rc21

agalles/automate-android-fastlane-patch

release/2025.05-rc20

release/2025.04-rc19

languages/basque

release/2025.03-rc19

update-readme

qrcode/feature

innovation/archive/pm-19153-archive-items

qrcode/2-ui-fields

qrcode/1-page

hold-on-biometric-prompt-alternative

release-notes-process

release/2025.02-rc16

bwa-monorepo

PM-8223/new-device-verification-ux-improvements

pm-18451/exempt-from-policies

test-bwa

release/2025.01-rc15

release/2025.01-rc14

release/2024.12-rc13

pm-16670/sync-leave-notice

821

PM-16695/backport-lean-more-new-device-verification

release/hotfix-v2024.11.7

release/2024.11-rc1

pm-11304/collection-add-item-button

PM-14241/disabling-logs-app-crash

poc/offline-editing

new-version-calc

pm-11649/expired-link-services

pm-6702/add-feature-flag

pm-6702/email-verification-feature

pm-9933/marketing-copy-update

pm-6702/registration-flows

update-templates

pm-6701/email-verification-selfhost-registration

v2026.4.1-bwa

v2026.4.1-bwpm

v2026.4.0-bwa

v2026.4.0-bwpm

v2026.3.1-bwa

v2026.3.1-bwpm

v2026.3.0-bwpm

v2026.3.0-bwa

v2026.2.1-bwpm

v2026.2.1-bwa

v2026.2.0-bwpm

v2026.2.0-bwa

v2026.1.1-bwa

v2026.1.1-bwpm

temp-test

v2026.1.0-bwpm

v2026.1.0-bwa

v2025.12.1-bwa

v2025.12.1-bwpm

v2025.12.0-bwa

v2025.12.0-bwpm

v2025.11.1-bwpm

v2025.11.1-bwa

v2025.11.0-bwpm

v2025.11.0-bwa

v2025.10.1-bwa

v2025.10.1-bwpm

v2025.10.0-bwa

v2025.10.0-bwpm

v2025.9.1-bwa

v2025.9.1-bwpm

v2025.9.0-bwa

v2025.9.0-bwpm

v2025.8.1-bwa

v2025.8.1-bwpm

v2025.8.0-bwa

v2025.8.0-bwpm

v2025.7.2-bwa

v2025.7.2-bwpm

v2025.7.1-bwa

v2025.7.1-bwpm

v2025.7.0-bwa

v2025.7.0-bwpm

v2025.6.1-bwpm

v2025.6.0-bwa

v2025.6.0-bwpm

v2025.1.0-bwa

v2025.5.0-bwa

v2025.5.0-bwpm

v2025.5.999

2025.4.0

v2025.4.0

untagged-4731eaadac73f3dfbbb8

v2025.3.0

v2025.2.0

untagged-815a165c5d70ffe75bc7

v2025.1.2

v2025.1.1

v2025.1.0

v2024.12.0

untagged-5a76b6392a4c8998c63a

v2024.11.7

v2024.11.6

v2024.11.5

v2024.11.4

v2024.11.3

v2024.11.2

v2024.11.1

v2024.11.0

v2024.10.2

v2024.10.1

v2024.10.0

v2024.9.0

v2024.8.1

v2024.8.0

v2024.7.3

v2024.7.2

v2024.7.1

v2024.7.0

v2024.6.1

v2024.6.0

v2024.5.1

v2024.4.1

v2024.4.2

v2024.4.0

v2024.3.3

v2024.3.1

v2024.3.0

v2024.2.1

v2024.2.0

v2024.1.1

v2024.1.0

v2023.12.0

v2023.10.0

v2023.9.2

maui-single-project-android

v2023.9.1

v2023.9.0

v2023.8.0

v2023.7.0

v2023.5.0

v2023.4.0

v2023.3.2

v2023.3.1

v2023.3.0

v2023.2.0

v2023.1.0

v2022.11.0

v2022.10.0

v2022.9.1

v2022.9.0

v2022.8.0

v2022.6.2

v2022.6.1

v2022.6.0

v2022.05.0

v2.18.0

v2.17.0

v2.16.4

v2.16.3

v2.16.2

v2.16.1

v2.15.0

v2.14.2

v2.14.1

v2.14.0

v2.13.0

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.0

v2.9.1

v2.9.0

v2.8.2

v2.8.1

v2.8.0

v2.7.2

v2.7.0

v2.6.1

v2.6.0

v2.5.6

v.2.5.5

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.1

v2.3.0

v2.2.8

v2.2.7

v2.2.6

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.0

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.22.1

v1.22.0

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.0

v1.16.0

v1.15.2

v1.15.1

v1.15.0

v1.14.4

v1.14.1

v1.14.0

v1.13.0

v1.12.2

v1.12.1

v1.12.0

v1.11.1

v1.11.0

v1.10.0

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.5

v1.6.1

v1.6.0

v1.5.1

v1.5.0

v1.4.4

v1.4.3

v1.4.0

v1.3.0

v1.2.1

v1.2.0

v1.1.0

v1.0.0

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels

app:authenticator

app:password-manager

bug

bug-passkey

customer-support

duplicate

enhancement

good first issue

help wanted

needs-reply

needs-response

pull-request

Mirrored from GitHub Pull Request

question

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/android#37817