github-starred/android
2
0
Fork 0
mirror of https://github.com/bitwarden/android.git synced 2026-05-06 07:48:22 -05:00
Code Issues 1.1k Packages Projects Releases 122 Wiki Activity

[GH-ISSUE #6219] [PM-29114] VC 20967 is not enumerated by com.google.android.gms.fido.fido2.ui.hybrid.HybridAuthenticateActivity, at least when logging-in to NNGCECKBAPEBFIMNLNIIIAHKANDCLBLB_2025_11_1_0.crx's `popup/index.html?uilocation=popout#/lo… #50486

New Issue
Open
opened 2026-05-01 13:13:48 -05:00 by GiteaMirror · 11 comments
GiteaMirror commented 2026-05-01 13:13:48 -05:00
Owner
Copy Link

Originally created by @RokeJulianLockhart on GitHub (Dec 2, 2025).
Original GitHub issue: https://github.com/bitwarden/android/issues/6219

Origin

Web (Browser)

Web URL or App name

chrome-extension://nngceckbapebfimnlniiiahkandclblb/popup/index.html?uilocation=popout#/login:~:text=Log%20in%20with%20passkey

Passkey Action

  • Creating new passkey (Registration)
  • Signing in (Authentication)

Build Information

© Bitwarden Inc. 2015-2025
Version: 2025.11.0 (20967)
📱 Fairphone FP5 🤖 15@35 📦 prod
🧱 commit: bitwarden/android/release/2025.10-rc38@6d71f0c5d66a466a20e4636be438609d2703063c
💻 build source: bitwarden/android/actions/runs/19309927902/attempts/1
🦀 SDK: 1.0.0-3436-2a00b727
🌩 Server: 2025.11.1 @ US

Additional Information

In order to complete the authentication sequence that clients/issues/17779 describes (before I knew how to bypass it), I utilised versionCode=49 of com.atharok.barcodescanner to invoke the resultant FIDO:/ URI via com.atharok.barcodescanner.presentation.views.activities.BarcodeAnalysisActivity, which invoked com.google.android.gms.fido.fido2.ui.hybrid.HybridAuthenticateActivity. There, like what issues/6112 describes, com.x8bit.bitwarden was not enumerated.

To demonstrate, I've utilised what dkrivoruchko/ScreenStream/issues/337 describes:

https://github.com/user-attachments/assets/df7de006-f650-47eb-a184-51950cc2aaf9

If Flight Recorder is of any use for this, I've uploaded its logs to user-attachments/files/23887555/bitwarden_flight_recorder2971687947327785176.zip. However, because of how AChep/keyguard-app/issues/1140 demonstrates that no alternative, enumerated clients are able authenticate, I wonder whether the code itself may be at fault, somehow, too.

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
Originally created by @RokeJulianLockhart on GitHub (Dec 2, 2025). Original GitHub issue: https://github.com/bitwarden/android/issues/6219 ### Origin Web (Browser) ### Web URL or App name `chrome-extension://nngceckbapebfimnlniiiahkandclblb/popup/index.html?uilocation=popout#/login:~:text=Log%20in%20with%20passkey` ### Passkey Action - [ ] Creating new passkey (Registration) - [x] Signing in (Authentication) ### Build Information <blockquote> ~~~YAML © Bitwarden Inc. 2015-2025 Version: 2025.11.0 (20967) 📱 Fairphone FP5 🤖 15@35 📦 prod 🧱 commit: bitwarden/android/release/2025.10-rc38@6d71f0c5d66a466a20e4636be438609d2703063c 💻 build source: bitwarden/android/actions/runs/19309927902/attempts/1 🦀 SDK: 1.0.0-3436-2a00b727 🌩 Server: 2025.11.1 @ US ~~~ </blockquote> ### Additional Information In order to complete the authentication sequence that [`clients/issues/17779`](https://github.com/bitwarden/clients/issues/17779#issue-3686782229) describes (before I knew how to bypass it), I utilised [`versionCode=49` of `com.atharok.barcodescanner`](https://gitlab.com/Atharok/BarcodeScanner/-/releases/1.26.0#:~:text=1.26.0%2Devidences%2D16473952.json-,833d824d,-Collected%2015%20Nov) to invoke the resultant `FIDO:/` URI via `com.atharok.barcodescanner.presentation.views.activities.BarcodeAnalysisActivity`, which invoked `com.google.android.gms.fido.fido2.ui.hybrid.HybridAuthenticateActivity`. There, like what [`issues/6112`](https://github.com/bitwarden/android/issues/6112#issue-3580172369) describes, `com.x8bit.bitwarden` was not enumerated. To demonstrate, I've utilised what [`dkrivoruchko/ScreenStream/issues/337`](https://github.com/dkrivoruchko/ScreenStream/issues/337#issue-3686889960) describes: https://github.com/user-attachments/assets/df7de006-f650-47eb-a184-51950cc2aaf9 If Flight Recorder is of any use for this, I've uploaded its logs to [`user-attachments/files/23887555/bitwarden_flight_recorder2971687947327785176.zip`](https://github.com/user-attachments/files/23887555/bitwarden_flight_recorder2971687947327785176.zip). However, because of how [`AChep/keyguard-app/issues/1140`](https://github.com/AChep/keyguard-app/issues/1140#issue-3687128004) demonstrates that no alternative, enumerated clients are able authenticate, I wonder whether the code itself may be at fault, somehow, too. ### Issue Tracking Info - [x] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
GiteaMirror added the bug-passkeyapp:password-manager labels 2026-05-01 13:13:48 -05:00
GiteaMirror commented 2026-05-01 13:13:50 -05:00
Author
Owner
Copy Link

@bitwarden-bot commented on GitHub (Dec 2, 2025):

Thank you for your report! We've added this to our internal board for review.
ID: PM-29114

<!-- gh-comment-id:3603286311 --> @bitwarden-bot commented on GitHub (Dec 2, 2025): Thank you for your report! We've added this to our internal board for review. ID: [PM-29114](https://bitwarden.atlassian.net/browse/PM-29114) [PM-29114]: https://bitwarden.atlassian.net/browse/PM-29114?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
GiteaMirror commented 2026-05-01 13:13:51 -05:00
Author
Owner
Copy Link

@aonjeerasak1998-lang commented on GitHub (Dec 3, 2025):

.

<!-- gh-comment-id:3607654800 --> @aonjeerasak1998-lang commented on GitHub (Dec 3, 2025): .
GiteaMirror commented 2026-05-01 13:13:51 -05:00
Author
Owner
Copy Link

@RokeJulianLockhart commented on GitHub (Dec 3, 2025):

@aonjeerasak1998-lang, was #issuecomment-3607654800 an accident?

<!-- gh-comment-id:3609197779 --> @RokeJulianLockhart commented on GitHub (Dec 3, 2025): @aonjeerasak1998-lang, was [`#issuecomment-3607654800`](https://github.com/bitwarden/android/issues/6219#issuecomment-3607654800) an accident?
GiteaMirror commented 2026-05-01 13:13:52 -05:00
Author
Owner
Copy Link

@pamperer562580892423 commented on GitHub (Dec 6, 2025):

@RokeJulianLockhart I hope this is a very specific technical bug... otherwise I would never be able to assess if it could be a bug I also experience - as only another (layman) user...

<!-- gh-comment-id:3620563074 --> @pamperer562580892423 commented on GitHub (Dec 6, 2025): @RokeJulianLockhart I hope this is a very specific technical bug... otherwise I would never be able to assess if it could be a bug I also experience - as only another (layman) user...
GiteaMirror commented 2026-05-01 13:13:54 -05:00
Author
Owner
Copy Link

@RokeJulianLockhart commented on GitHub (Dec 6, 2025):

@pamperer562580892423, have you observed the attached screencast? I ask because the problem isn't technical, but without at least this much information, it'll be nigh undiagnosable.

<!-- gh-comment-id:3621286524 --> @RokeJulianLockhart commented on GitHub (Dec 6, 2025): @pamperer562580892423, have you observed the attached screencast? I ask because the *problem* isn't technical, but without at least this much information, it'll be nigh undiagnosable.
GiteaMirror commented 2026-05-01 13:13:56 -05:00
Author
Owner
Copy Link

@pamperer562580892423 commented on GitHub (Dec 6, 2025):

@RokeJulianLockhart All good... Sorry, I should have added some kind of smiley... I saw the screencast, but without the complete context (and yes, I saw you referenced the other or related issue), I don't get the problem completely. Anyway, not important.

I think what I really wanted to say: I think you could think of making the title and general description of your issues a bit easier to understand for everyone (at least for those issues, that regular users also could experience - and that other regular BW users may search here on GitHub - and may join, to also avoid making "duplicate" issues...). And then, add all technical details you want in the section "Additional Information/Context", so that BW still gets all the information you gathered.

But I can't tell you anything, so do as it fits you best. 👍

<!-- gh-comment-id:3621298233 --> @pamperer562580892423 commented on GitHub (Dec 6, 2025): @RokeJulianLockhart All good... Sorry, I should have added some kind of smiley... I saw the screencast, but without the complete context (and yes, I saw you referenced the other or related issue), I don't get the problem completely. Anyway, not important. I think what I really wanted to say: I think you could think of making the title and general description of your issues a bit easier to understand for everyone (at least for those issues, that regular users also could experience - and that other regular BW users may search here on GitHub - and may join, to also avoid making "duplicate" issues...). And then, add all technical details you want in the section "Additional Information/Context", so that BW still gets all the information you gathered. But I can't tell you anything, so do as it fits you best. 👍
GiteaMirror commented 2026-05-01 13:13:58 -05:00
Author
Owner
Copy Link

@RokeJulianLockhart commented on GitHub (Dec 7, 2025):

@pamperer562580892423, I am, unfortunately, limited to 256 characters for issue titles, 1 so they're occasionally cryptic, to ensure that I don't inaccurately generalise:

  1. I could write “vesionCode=20967”, instead of “VC 20967”. However, that's an extra few characters.

  2. I could utilise the versionName, in its stead. However, that's less specific.

  3. The cited rDNS activity identifiers do not expose language-specific names.

<!-- gh-comment-id:3621385051 --> @RokeJulianLockhart commented on GitHub (Dec 7, 2025): @pamperer562580892423, I am, unfortunately, limited to 256 characters for issue titles, [^1] so they're occasionally cryptic, to ensure that I don't inaccurately generalise: 1. I could write “`vesionCode=20967`”, instead of “VC 20967”. However, that's an extra few characters. 1. I could utilise the `versionName`, in its stead. However, that's less specific. 1. The cited rDNS activity identifiers do not expose language-specific names. [^1]: [`dead-claudia/github-limits/blob/819503596cdce41c61fcfac03315a60d507ca762/README.md?plain=1#L109`](https://github.com/dead-claudia/github-limits/blob/819503596cdce41c61fcfac03315a60d507ca762/README.md?plain=1#L109C3-L109C29:~:text=Max%20length:%20256%20characters)
GiteaMirror commented 2026-05-01 13:14:01 -05:00
Author
Owner
Copy Link

@pamperer562580892423 commented on GitHub (Dec 7, 2025):

@RokeJulianLockhart

I am, unfortunately, limited to 256 characters for issue titles, 1 so they're occasionally cryptic, to ensure that I don't inaccurately generalise:

Ah, Sorry, I didn't know it was impossible to choose a simple sentence as a title and put that accurate title into the description...

<!-- gh-comment-id:3621792228 --> @pamperer562580892423 commented on GitHub (Dec 7, 2025): @RokeJulianLockhart > I am, unfortunately, limited to 256 characters for issue titles, [1](https://github.com/bitwarden/android/issues/6219#user-content-fn-1-e46ceb8fdd3de1273ab5bc954e18f393) so they're occasionally cryptic, to ensure that I don't inaccurately generalise: Ah, Sorry, I didn't know it was impossible to choose a simple sentence as a title and put that accurate title into the description...
GiteaMirror commented 2026-05-01 13:14:02 -05:00
Author
Owner
Copy Link

@RokeJulianLockhart commented on GitHub (Dec 7, 2025):

@pamperer562580892423, I don't understand what you're telling me. Was that intended to be passive-aggressive sarcasm? I sincerely hope not.

<!-- gh-comment-id:3622106189 --> @RokeJulianLockhart commented on GitHub (Dec 7, 2025): @pamperer562580892423, I don't understand what you're telling me. Was that intended to be passive-aggressive sarcasm? I sincerely hope not.
GiteaMirror commented 2026-05-01 13:14:04 -05:00
Author
Owner
Copy Link

@pamperer562580892423 commented on GitHub (Dec 7, 2025):

@pamperer562580892423, I don't understand what you're telling me. Was that intended to be passive-aggressive sarcasm? I sincerely hope not.

@RokeJulianLockhart No, Sorry, it was meant as humorous, and certainly neither aggressive nor passive-aggressive. - Seems it's not my weekend, anyway. So, please ignore my remarks entirely.

<!-- gh-comment-id:3622297476 --> @pamperer562580892423 commented on GitHub (Dec 7, 2025): > @pamperer562580892423, I don't understand what you're telling me. Was that intended to be passive-aggressive sarcasm? I sincerely hope not. @RokeJulianLockhart No, Sorry, it was meant as humorous, and certainly neither aggressive nor passive-aggressive. - Seems it's not my weekend, anyway. So, please ignore my remarks entirely.
GiteaMirror commented 2026-05-01 13:14:05 -05:00
Author
Owner
Copy Link

@RokeJulianLockhart commented on GitHub (Dec 7, 2025):

@pamperer562580892423, no worries, and apologies too. ‘T hasn’t been my weekend either.

<!-- gh-comment-id:3622484292 --> @RokeJulianLockhart commented on GitHub (Dec 7, 2025): @pamperer562580892423, no worries, and apologies too. ‘T hasn’t been my weekend either.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
app:authenticator
app:password-manager
bug
bug-passkey
customer-support
duplicate
enhancement
good first issue
help wanted
needs-reply
needs-response
pull-request
Mirrored from GitHub Pull Request
 question
No Label app:password-manager bug-passkey
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/android#50486
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?