mirror of
https://github.com/bitwarden/android.git
synced 2026-03-11 20:54:58 -05:00
Bypass Password through Persistent Notification #620
Closed
opened 2025-11-26 22:23:47 -06:00 by GiteaMirror
·
16 comments
No Branch/Tag Specified
main
fix/PM-33394-throwable-extensions
fix/PM-33394-sync-unlock-error
sdlc/sdk-update
PM-24380/flight-recorder-redact-hostname
release/2026.3-rc48
claude/android-implementer-agent
PM-26577-app-links-support
PM-26896-autofill-fix
renovate/lock-file-maintenance
release/2026.2-rc47
PM-32714/fallback-to-web-vault-host
pr-6572
PM-28834/setting-app-layout-horizonos
vvolkgang/process-release-notes-v2
release/2026.2-rc46
release/2026.1-rc45
PM-30644/added-logs-for-debug
PM-30644/quicktile-nav-not-showing-migration
minor-gradle-updates
release/2026.1-rc42
release/2026.1-rc44
release/2026.1-rc43
PM-28834/set-landscape-on-horizonos-devices
context-rules
devclarity/update-code-review-command
PM-20026/force-ltr-passwords-and-codes
release/2025.12-rc41
cmcg/testCoverage
claude-skill/creating-feature-flags
PM-29014/talkback-support-for-passwords
release/2025.12-rc40
BRE-1305/publish_test
accept-user-certs
autofill-permissions
release/2025.11-rc39
PM-22479/check-all-certificates-validate-asset-links
release/2025.10-rc38
agalles/android-latest
optimize-test-workflows
tier2-test-sharding
retro-agent
PM-27001/skip-account-selection-only-one-exists-cxp
release/2025.10-rc37
agalles/test-1118
release/2025.10-rc36
PM-20593-token-refresh
QA-1126b/adding-native-sanity-test
release/2025.9-rc35
pm-25933/sdk-update-password
release/2025.9-rc34
release/2025.8-rc33
agalles/20250821-release
debug-release-issues
pm-24249-allow-automated-prs-for-sdk-updates
release/2025.8-rc32
release/WORKFLOW-TEST-2025.8-rc28
agalles/20250807release
release/2025.07-rc25
release/hotfix-v2025.7.0-bwa
pm-23311/export-vault-policy-bypass
release/2025.07-rc24
authenticator-pm-sync-flags-issue
ps/implement-sdk-repository-example
release/hotfix-v2025.6.0-bwpm
release/2025.06-rc21
agalles/automate-android-fastlane-patch
release/2025.05-rc20
release/2025.04-rc19
languages/basque
release/2025.03-rc19
update-readme
qrcode/feature
innovation/archive/pm-19153-archive-items
qrcode/2-ui-fields
qrcode/1-page
hold-on-biometric-prompt-alternative
release-notes-process
release/2025.02-rc16
bwa-monorepo
PM-8223/new-device-verification-ux-improvements
pm-18451/exempt-from-policies
test-bwa
cs-workaround-linked-0-copy
release/2025.01-rc15
release/2025.01-rc14
release/2024.12-rc13
pm-16670/sync-leave-notice
821
PM-16695/backport-lean-more-new-device-verification
km/15084-testing
release/hotfix-v2024.11.7
release/2024.11-rc1
pm-11304/collection-add-item-button
PM-14241/disabling-logs-app-crash
poc/offline-editing
new-version-calc
pm-11649/expired-link-services
pm-6702/add-feature-flag
pm-6702/email-verification-feature
pm-9933/marketing-copy-update
pm-6702/registration-flows
update-templates
pm-6701/email-verification-selfhost-registration
v2026.2.1-bwpm
v2026.2.1-bwa
v2026.2.0-bwpm
v2026.2.0-bwa
v2026.1.1-bwa
v2026.1.1-bwpm
temp-test
v2026.1.0-bwpm
v2026.1.0-bwa
v2025.12.1-bwa
v2025.12.1-bwpm
v2025.12.0-bwa
v2025.12.0-bwpm
v2025.11.1-bwpm
v2025.11.1-bwa
v2025.11.0-bwpm
v2025.11.0-bwa
v2025.10.1-bwa
v2025.10.1-bwpm
v2025.10.0-bwa
v2025.10.0-bwpm
v2025.9.1-bwa
v2025.9.1-bwpm
v2025.9.0-bwa
v2025.9.0-bwpm
v2025.8.1-bwa
v2025.8.1-bwpm
v2025.8.0-bwa
v2025.8.0-bwpm
v2025.7.2-bwa
v2025.7.2-bwpm
v2025.7.1-bwa
v2025.7.1-bwpm
v2025.7.0-bwa
v2025.7.0-bwpm
v2025.6.1-bwpm
v2025.6.0-bwa
v2025.6.0-bwpm
v2025.1.0-bwa
v2025.5.0-bwa
v2025.5.0-bwpm
v2025.5.999
2025.4.0
v2025.4.0
untagged-4731eaadac73f3dfbbb8
v2025.3.0
v2025.2.0
untagged-815a165c5d70ffe75bc7
v2025.1.2
v2025.1.1
v2025.1.0
v2024.12.0
untagged-5a76b6392a4c8998c63a
v2024.11.7
v2024.11.6
v2024.11.5
v2024.11.4
v2024.11.3
v2024.11.2
v2024.11.1
v2024.11.0
v2024.10.2
v2024.10.1
v2024.10.0
v2024.9.0
v2024.8.1
v2024.8.0
v2024.7.3
v2024.7.2
v2024.7.1
v2024.7.0
v2024.6.1
v2024.6.0
v2024.5.1
v2024.4.1
v2024.4.2
v2024.4.0
v2024.3.3
v2024.3.1
v2024.3.0
v2024.2.1
v2024.2.0
v2024.1.1
v2024.1.0
v2023.12.0
v2023.10.0
v2023.9.2
maui-single-project-android
v2023.9.1
v2023.9.0
v2023.8.0
v2023.7.0
v2023.5.0
v2023.4.0
v2023.3.2
v2023.3.1
v2023.3.0
v2023.2.0
v2023.1.0
v2022.11.0
v2022.10.0
v2022.9.1
v2022.9.0
v2022.8.0
v2022.6.2
v2022.6.1
v2022.6.0
v2022.05.0
v2.18.0
v2.17.0
v2.16.4
v2.16.3
v2.16.2
v2.16.1
v2.15.0
v2.14.2
v2.14.1
v2.14.0
v2.13.0
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.0
v2.9.1
v2.9.0
v2.8.2
v2.8.1
v2.8.0
v2.7.2
v2.7.0
v2.6.1
v2.6.0
v2.5.6
v.2.5.5
v2.5.5
v2.5.4
v2.5.3
v2.5.2
v2.5.1
v2.5.0
v2.4.3
v2.4.2
v2.4.1
v2.4.0
v2.3.1
v2.3.0
v2.2.8
v2.2.7
v2.2.6
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.0
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.22.1
v1.22.0
v1.21.0
v1.20.0
v1.19.0
v1.18.1
v1.18.0
v1.17.0
v1.16.0
v1.15.2
v1.15.1
v1.15.0
v1.14.4
v1.14.1
v1.14.0
v1.13.0
v1.12.2
v1.12.1
v1.12.0
v1.11.1
v1.11.0
v1.10.0
v1.9.0
v1.8.1
v1.8.0
v1.7.0
v1.6.5
v1.6.1
v1.6.0
v1.5.1
v1.5.0
v1.4.4
v1.4.3
v1.4.0
v1.3.0
v1.2.1
v1.2.0
v1.1.0
v1.0.0
v0.0.6
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/android#620
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @ghost on GitHub (Jul 15, 2018).
If I double tap on the persistent notification for autofilling, I am able to access all my stored details without needing my password.
I'm using a Pixel running Android 8.1.0
@kspearrin commented on GitHub (Jul 15, 2018):
Hi,
I tried reproducing this and was not successful. What is your lock option set to?
@ghost commented on GitHub (Jul 15, 2018):
Lock after 1 minute, using my full password and not a pin, and the persist notification.
@mesarth commented on GitHub (Jul 16, 2018):
I can reproduce this issue on my device with Android 8.1.0, persistent notification, lock after 15 minutes and fingerprint.
@kspearrin commented on GitHub (Jul 16, 2018):
I was able to reproduce it with password and PIN. looking into a fix.
@kspearrin commented on GitHub (Jul 16, 2018):
Can you try the latest beta on google play (1.17.2) for a possible fix. I block spam clicking the notification now. https://play.google.com/apps/testing/com.x8bit.bitwarden
@mesarth commented on GitHub (Jul 16, 2018):
Still works with the latest beta 1.17.2
@kspearrin commented on GitHub (Jul 16, 2018):
@Tobirexy You probably don't have the latest beta. I literally just published it so it takes a bit to roll out. It should be build number 1479
@kspearrin commented on GitHub (Jul 16, 2018):
Could also download the raw APK from here if you want to test: https://ci.appveyor.com/project/bitwarden/mobile/build/artifacts
@mesarth commented on GitHub (Jul 16, 2018):
Just tested again. Still works with build number 1479.
@mesarth commented on GitHub (Jul 16, 2018):
I tested it with fingerprint.
@ghost commented on GitHub (Jul 17, 2018):
Tested on build number 1479, the bug still remains for me
@ghost commented on GitHub (Jul 17, 2018):
Bug also works after restarting my device without having unlocked Bitwarden yet in the session (both on beta and stable builds), concerning that it can acccess my logins without a password (I thought they'd be encrypted locally as well)
@kspearrin commented on GitHub (Jul 17, 2018):
Can you try 1480 for another possible fix?
@xHippoCrit On Android your key is stored in the Android Keystore, so it is not required to be entered to decrypt data like in other apps without protected storage.
@ghost commented on GitHub (Jul 17, 2018):
Build 1480 appears to fix it for me.
@kspearrin Thanks for the explanation, it's reassuring
@mesarth commented on GitHub (Jul 17, 2018):
Build 1480 fixed the issue for me too
@kspearrin commented on GitHub (Jul 17, 2018):
Thanks all.