github-starred/android
2
0
Fork 0
mirror of https://github.com/bitwarden/android.git synced 2026-05-08 04:16:40 -05:00
Code Issues 1.1k Packages Projects Releases 122 Wiki Activity

[GH-ISSUE #2255] Possible security issue on Bitwarden APP #7574

New Issue
Closed
opened 2026-04-11 00:12:08 -05:00 by GiteaMirror · 4 comments
GiteaMirror commented 2026-04-11 00:12:08 -05:00
Owner
Copy Link

Originally created by @Frankjaro on GitHub (Dec 15, 2022).
Original GitHub issue: https://github.com/bitwarden/android/issues/2255

Originally assigned to: @mpbw2 on GitHub.

Steps To Reproduce

Smartphone used: S22 plus
Last os and security patches installed
Unlock method used to unlock the phone and Bitwarden: biometric authentication

Steps:
A) Set the "timemout vault" options as LOCK and IMMEDIATLY

  1. Open Secure Note
  2. Create a new secure note
  3. I named the secure note TEST and saved it
  4. I opened the test note
  5. I clicked on Modify
  6. I clicked the 3 dots on the upper right side of the note and clicked: Attachements
  7. A warning tells that you need to be a premium user
  8. Click OK on the warning window
  9. click the Select a file option
  10. A pop up window opens up and I selected the FILE icon
  11. I chose a pdf file
  12. Click the Save button on the upper right side of the phone.
  13. Pop up message: "ERROR. You must be a premium user pops up"
  14. Click OK
  15. Now just exit bitwarned by clicking the android button on the screen to put the app in the background.
  16. Reopen the app by picking it among the apps in the background

Expected Result

If I try to reopen the app by picking it among the apps in the background, it should be locked according to step A

Actual Result

When I reopen the app, it is unlocked on the screen I left, waiting for me to upload a file thus failing the settings in the step A.

This behaviour also happens occasionally if I open a "login" file and click on modify. If I "exit" the app (while the Login file is on "modify") by parking it in the background and reopen it, sometimes it is not locked.

Screenshots or Videos

No response

Additional Context

No response

Operating System

Android

Operating System Version

Android 13

Web Browser

Chrome

Browser Version

I am not talking about the browser but the Bitwarden app itself!!!

Build Version

I am not talking about the browser but the Bitwarden app itself!!!

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
Originally created by @Frankjaro on GitHub (Dec 15, 2022). Original GitHub issue: https://github.com/bitwarden/android/issues/2255 Originally assigned to: @mpbw2 on GitHub. ### Steps To Reproduce Smartphone used: S22 plus Last os and security patches installed Unlock method used to unlock the phone and Bitwarden: biometric authentication Steps: A) Set the "timemout vault" options as LOCK and IMMEDIATLY 1) Open Secure Note 2) Create a new secure note 3) I named the secure note TEST and saved it 4) I opened the test note 5) I clicked on Modify 6) I clicked the 3 dots on the upper right side of the note and clicked: Attachements 7) A warning tells that you need to be a premium user 8) Click OK on the warning window 9) click the Select a file option 10) A pop up window opens up and I selected the FILE icon 11) I chose a pdf file 12) Click the Save button on the upper right side of the phone. 13) Pop up message: "ERROR. You must be a premium user pops up" 14) Click OK 15) Now just exit bitwarned by clicking the android button on the screen to put the app in the background. 16) Reopen the app by picking it among the apps in the background ### Expected Result If I try to reopen the app by picking it among the apps in the background, it should be locked according to step A ### Actual Result When I reopen the app, it is unlocked on the screen I left, waiting for me to upload a file thus failing the settings in the step A. This behaviour also happens occasionally if I open a "login" file and click on modify. If I "exit" the app (while the Login file is on "modify") by parking it in the background and reopen it, sometimes it is not locked. ### Screenshots or Videos _No response_ ### Additional Context _No response_ ### Operating System Android ### Operating System Version Android 13 ### Web Browser Chrome ### Browser Version I am not talking about the browser but the Bitwarden app itself!!! ### Build Version I am not talking about the browser but the Bitwarden app itself!!! ### Issue Tracking Info - [X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
GiteaMirror added the bug label 2026-04-11 00:12:08 -05:00
GiteaMirror commented 2026-04-11 00:12:09 -05:00
Author
Owner
Copy Link

@cksapp commented on GitHub (Jan 21, 2023):

Can confirm this also happens with notes, logins, etc when attempting to add an attachment.

After selecting "Choose File" to upload an attachment, the app fails to honour the Vault timeout setting of Immediately, even when swiping the app away from background tasks.
Reopening the Bitwarden app leads to still being unlocked, though it seems shortly after relaunching it requires authentication again.

<!-- gh-comment-id:1399286501 --> @cksapp commented on GitHub (Jan 21, 2023): Can confirm this also happens with notes, logins, etc when attempting to add an attachment. After selecting "**Choose File**" to upload an attachment, the app fails to honour the **Vault timeout** setting of **Immediately**, even when swiping the app away from background tasks. Reopening the Bitwarden app leads to still being unlocked, though it seems shortly after relaunching it requires authentication again.
GiteaMirror commented 2026-04-11 00:12:10 -05:00
Author
Owner
Copy Link

@mhombach commented on GitHub (Apr 29, 2023):

This is a security risk which has now been open for more then 4 months, can someone have a look into this asap?

<!-- gh-comment-id:1528861828 --> @mhombach commented on GitHub (Apr 29, 2023): This is a security risk which has now been open for more then 4 months, can someone have a look into this asap?
GiteaMirror commented 2026-04-11 00:12:10 -05:00
Author
Owner
Copy Link

@mpbw2 commented on GitHub (Jul 3, 2023):

Re-opening as we're not seeing consistent results with the fix

<!-- gh-comment-id:1618353442 --> @mpbw2 commented on GitHub (Jul 3, 2023): Re-opening as we're not seeing consistent results with the fix
GiteaMirror commented 2026-04-11 00:12:10 -05:00
Author
Owner
Copy Link

@vvolkgang commented on GitHub (Jun 20, 2024):

Issue migrated to https://github.com/bitwarden/mobile/issues/2255

<!-- gh-comment-id:2181391900 --> @vvolkgang commented on GitHub (Jun 20, 2024): Issue migrated to https://github.com/bitwarden/mobile/issues/2255
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
app:authenticator
app:password-manager
bug
bug-passkey
customer-support
duplicate
enhancement
good first issue
help wanted
needs-reply
needs-response
pull-request
Mirrored from GitHub Pull Request
 question
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/android#7574
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?