mirror of
https://github.com/bitwarden/android.git
synced 2026-06-10 00:28:29 -05:00
[GH-ISSUE #6263] [BWA-212] Account Removed from Linked Bitwarden App Still Shows Entries In Authenticator #50496
Closed
opened 2026-05-01 13:15:11 -05:00 by GiteaMirror
·
8 comments
No Branch/Tag Specified
main
overlay-nav-screen
PM-38808/support-optional-cipher-name
renovate/gh-minor
release/2026.5-rc55
PM-37255/fill-assist-network-layer
release/2026.5-rc53
renovate/major-googlebilling
renovate/fastlane-2.x
release/2026.5-rc54
PM-37255/fill-assist-integration
PM-37255/fill-assist-data-layer
premium-upgrade/pm-37287-totp-premium-cta
PM-37255/consume-fill-assist-rules-data
renovate/lock-file-maintenance
PM-26896-autofill-fix
release/hotfix-v2026.4.1-bwpm
target-sdk-37
agalles/fdroid-only
BWA-99/show-next-totp
BWA-99/add-preview-next-totp-code-setting
sync-min-sdk
release/2026.4-rc51
related-origin-passkey-creation
release/2026.4-rc50
platform/android-breaking-change-detection
innovation-sprint-2026-send-folder
release/2026.3-rc49
PM-34193-vault-lockout
android-collections
llm/add-resolving-sdk-updates-skill
QA-1523/sanity-test-saucelabs
release/2026.3-rc48
release/2026.2-rc47
pr-6572
release/2026.2-rc46
release/2026.1-rc45
PM-30644/added-logs-for-debug
PM-30644/quicktile-nav-not-showing-migration
minor-gradle-updates
release/2026.1-rc42
release/2026.1-rc44
release/2026.1-rc43
PM-28834/set-landscape-on-horizonos-devices
PM-28468/validate-and-navigate-to-vault-migration
PM-20026/force-ltr-passwords-and-codes
release/2025.12-rc41
cmcg/testCoverage
PM-29014/talkback-support-for-passwords
release/2025.12-rc40
BRE-1305/publish_test
accept-user-certs
autofill-permissions
release/2025.11-rc39
PM-22479/check-all-certificates-validate-asset-links
release/2025.10-rc38
agalles/android-latest
retro-agent
PM-27001/skip-account-selection-only-one-exists-cxp
release/2025.10-rc37
agalles/test-1118
release/2025.10-rc36
PM-20593-token-refresh
QA-1126b/adding-native-sanity-test
release/2025.9-rc35
pm-25933/sdk-update-password
release/2025.9-rc34
release/2025.8-rc33
agalles/20250821-release
debug-release-issues
pm-24249-allow-automated-prs-for-sdk-updates
release/2025.8-rc32
release/WORKFLOW-TEST-2025.8-rc28
agalles/20250807release
release/2025.07-rc25
release/hotfix-v2025.7.0-bwa
pm-23311/export-vault-policy-bypass
release/2025.07-rc24
authenticator-pm-sync-flags-issue
release/hotfix-v2025.6.0-bwpm
release/2025.06-rc21
agalles/automate-android-fastlane-patch
release/2025.05-rc20
release/2025.04-rc19
languages/basque
release/2025.03-rc19
update-readme
qrcode/feature
innovation/archive/pm-19153-archive-items
qrcode/2-ui-fields
qrcode/1-page
hold-on-biometric-prompt-alternative
release-notes-process
release/2025.02-rc16
bwa-monorepo
PM-8223/new-device-verification-ux-improvements
pm-18451/exempt-from-policies
test-bwa
release/2025.01-rc15
release/2025.01-rc14
release/2024.12-rc13
pm-16670/sync-leave-notice
821
PM-16695/backport-lean-more-new-device-verification
release/hotfix-v2024.11.7
release/2024.11-rc1
pm-11304/collection-add-item-button
PM-14241/disabling-logs-app-crash
poc/offline-editing
new-version-calc
pm-11649/expired-link-services
pm-6702/add-feature-flag
pm-6702/email-verification-feature
pm-9933/marketing-copy-update
pm-6702/registration-flows
update-templates
pm-6701/email-verification-selfhost-registration
v2026.5.0-bwpm
v2026.5.0-bwa
v2026.4.2-bwpm
v2026.4.1-bwa
v2026.4.1-bwpm
v2026.4.0-bwa
v2026.4.0-bwpm
v2026.3.1-bwa
v2026.3.1-bwpm
v2026.3.0-bwpm
v2026.3.0-bwa
v2026.2.1-bwpm
v2026.2.1-bwa
v2026.2.0-bwpm
v2026.2.0-bwa
v2026.1.1-bwa
v2026.1.1-bwpm
temp-test
v2026.1.0-bwpm
v2026.1.0-bwa
v2025.12.1-bwa
v2025.12.1-bwpm
v2025.12.0-bwa
v2025.12.0-bwpm
v2025.11.1-bwpm
v2025.11.1-bwa
v2025.11.0-bwpm
v2025.11.0-bwa
v2025.10.1-bwa
v2025.10.1-bwpm
v2025.10.0-bwa
v2025.10.0-bwpm
v2025.9.1-bwa
v2025.9.1-bwpm
v2025.9.0-bwa
v2025.9.0-bwpm
v2025.8.1-bwa
v2025.8.1-bwpm
v2025.8.0-bwa
v2025.8.0-bwpm
v2025.7.2-bwa
v2025.7.2-bwpm
v2025.7.1-bwa
v2025.7.1-bwpm
v2025.7.0-bwa
v2025.7.0-bwpm
v2025.6.1-bwpm
v2025.6.0-bwa
v2025.6.0-bwpm
v2025.1.0-bwa
v2025.5.0-bwa
v2025.5.0-bwpm
v2025.5.999
2025.4.0
v2025.4.0
untagged-4731eaadac73f3dfbbb8
v2025.3.0
v2025.2.0
untagged-815a165c5d70ffe75bc7
v2025.1.2
v2025.1.1
v2025.1.0
v2024.12.0
untagged-5a76b6392a4c8998c63a
v2024.11.7
v2024.11.6
v2024.11.5
v2024.11.4
v2024.11.3
v2024.11.2
v2024.11.1
v2024.11.0
v2024.10.2
v2024.10.1
v2024.10.0
v2024.9.0
v2024.8.1
v2024.8.0
v2024.7.3
v2024.7.2
v2024.7.1
v2024.7.0
v2024.6.1
v2024.6.0
v2024.5.1
v2024.4.1
v2024.4.2
v2024.4.0
v2024.3.3
v2024.3.1
v2024.3.0
v2024.2.1
v2024.2.0
v2024.1.1
v2024.1.0
v2023.12.0
v2023.10.0
v2023.9.2
maui-single-project-android
v2023.9.1
v2023.9.0
v2023.8.0
v2023.7.0
v2023.5.0
v2023.4.0
v2023.3.2
v2023.3.1
v2023.3.0
v2023.2.0
v2023.1.0
v2022.11.0
v2022.10.0
v2022.9.1
v2022.9.0
v2022.8.0
v2022.6.2
v2022.6.1
v2022.6.0
v2022.05.0
v2.18.0
v2.17.0
v2.16.4
v2.16.3
v2.16.2
v2.16.1
v2.15.0
v2.14.2
v2.14.1
v2.14.0
v2.13.0
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.0
v2.9.1
v2.9.0
v2.8.2
v2.8.1
v2.8.0
v2.7.2
v2.7.0
v2.6.1
v2.6.0
v2.5.6
v.2.5.5
v2.5.5
v2.5.4
v2.5.3
v2.5.2
v2.5.1
v2.5.0
v2.4.3
v2.4.2
v2.4.1
v2.4.0
v2.3.1
v2.3.0
v2.2.8
v2.2.7
v2.2.6
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.0
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.22.1
v1.22.0
v1.21.0
v1.20.0
v1.19.0
v1.18.1
v1.18.0
v1.17.0
v1.16.0
v1.15.2
v1.15.1
v1.15.0
v1.14.4
v1.14.1
v1.14.0
v1.13.0
v1.12.2
v1.12.1
v1.12.0
v1.11.1
v1.11.0
v1.10.0
v1.9.0
v1.8.1
v1.8.0
v1.7.0
v1.6.5
v1.6.1
v1.6.0
v1.5.1
v1.5.0
v1.4.4
v1.4.3
v1.4.0
v1.3.0
v1.2.1
v1.2.0
v1.1.0
v1.0.0
v0.0.6
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/android#50496
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @PXAbstraction on GitHub (Dec 12, 2025).
Original GitHub issue: https://github.com/bitwarden/android/issues/6263
Steps To Reproduce
Expected Result
That the MFA codes from the removed linked account would be gone.
Actual Result
The MFA codes from the removed linked account are still present. I also don't appear to be able to remove the linked account without resetting the Authenticator app entirely.
Screenshots or Videos
No response
Additional Context
This is a major security flaw in the Authenticator application.
I have my own Bitwarden account and also had another Bitwarden Enterprise account links from an employer I am no longer at. I was locked out of that account and removed it from the main app, however ALL of the linked MFA tokens still appear in Authenticator and I also can't delete them. It seems the only way to do that is to reset the app entirely. I can and will do that, however if I were a bad actor who had some of the passwords linked to these tokens, I could still use them to login to account I shouldn't.
I don't understand how a flaw like this got through QA, but Authenticator MUST check for linked account removals and pull their data.
Build Version
2025.11.1
What server are you connecting to?
EU
Self-host Server Version
No response
Environment Details
Pixel 9
Android 16 (Build number BP3A.251105.015)
Issue Tracking Info
@bitwarden-bot commented on GitHub (Dec 12, 2025):
Thank you for your report! We've added this to our internal board for review.
ID: BWA-212
@Neonwarden commented on GitHub (Dec 12, 2025):
Hi there,
This issue has been escalated for further investigation. If you have more information that can help us, please add it below.
Thanks!
@PXAbstraction commented on GitHub (Dec 12, 2025):
Is there anything else beyond what I've reported above that could be helpful? I'm happy to provide whatever can assist.
@pamperer562580892423 commented on GitHub (Dec 14, 2025):
Hmmm... I cannot quite reproduce this.
When I follow your steps, i.e. removing the login item in the Android BW mobile app (2025.12.0), then the authenticator app (2025.11.1) updates they "synced items". - But when I remove the login item in e.g. the web vault, and then open the authenticator app, then it still shows the synced (but deleted) login item.
However, as soon as I unlock the mobile app (with the syncing account), then the authenticator app gets updated and doesn't show the deleted login item.
I now deleted a test item in the web vault, try not to open the Android mobile app, and if I remember it tomorrow, I'll report back if the authenticator app then still shows the synced but deleted login item....
Update: So, just about 8 hours later, the synced but deleted login item is indeed still shown in the authenticator app (I didn't unlock the "syncing" account on the mobile app since I deleted the login item via the web vault). - And I think, I could imagine now, that if I would delete that account in the mobile app, that it could be that the authenticator app shows the synced codes forever... Hmm, though, I just logged out with that account on the mobile app (without unlocking it), and the authenticator app now doesn't show me the synced codes anymore at all.
@PXAbstraction commented on GitHub (Dec 14, 2025):
Hey there.
So, I should clarify because I think I wasn't clear enough. My report didn't concern removing an individual items from a linked Bitwarden app and having it stick around in Authenticator. My issue was that when you remove an entire account from a linked app, everything from that account stays put in the Authenticator app and can't be removed. So, way worse than a single credential. :)
Hope this helps.
@pamperer562580892423 commented on GitHub (Dec 14, 2025):
@PXAbstraction:
Where did you remove it exactly?
And how did you remove it?
And is this account still shown "there"?
@PXAbstraction commented on GitHub (Dec 14, 2025):
So, I just did some more testing and I think this is now a non-issue. I don't know why, but when I launched the main Bitwarden app, my former employer's account was back. I removed it, closed and relaunched the app and it was there again. I then cleared all the app data, logged in with only my personal account and now the corporate account is completely gone and the MFA tokens from it are no longer showing in the Authenticator app.
Not sure what happened there, but it seems to have resolved it. I'm guessing it was something that glitched on my device as no one else has reported this issue with accounts reappearing. So I think it's all good now.
Thanks for your help.
@pamperer562580892423 commented on GitHub (Dec 14, 2025):
@Neonwarden Though this is resolved now for OP, I think the authenticator app only syncing data when the mobile password manager app gets unlocked is at least "unfortunate" - if not a bug. (as the synced authenticator doesn't get "updated" automatically when one does make changes in their vault on other BW clients - but the mobile app should sync automatically with these changes and therefore update the syncing data on the authenticator app as well, I think)
(also see my previous post above for more details on that)