Issue: Associating apps with Auto-fill can accidentally override synced logins. #934

New Issue

Closed

opened 2025-11-26 22:34:23 -06:00 by GiteaMirror · 2 comments

GiteaMirror commented 2025-11-26 22:34:23 -06:00

Owner

Copy Link

Originally created by @jerieljan on GitHub (Feb 25, 2020).

Due to unfortunate sync timings or poor connectivity, it’s possible to have older cached credentials replace newer synced credentials with the outdated save, because of the “Yes and Save” option in Bitwarden’s Auto-fill. (See the scenario I wrote below)

Wouldn’t it be better if the auto-fill service synced first and checked if the logins have updated before actually saving a new URI with the old login details?

Consider this scenario:

1. I signed up on Service A with a username and password combo and saved it in Bitwarden on Desktop Firefox (let’s call this V1)
2. I chose to open Service A on Android via a browser, opened Bitwarden and forced a sync to copy-paste the V1 credentials.
3. After using Service A on Desktop Firefox for a while, I chose to enable Service A’s OTP and applied it to my saved credentials. I also added a custom field to store extra details (let’s call this V2).
4. A few hours later, I tried downloading the Android app for Service A. At this point, V1 is still in the phone and sync hasn’t kicked in yet.
5. I used Bitwarden’s auto-fill to login. It prompts me if I should associate the app to the credentials and chose “Yes and Save”. (And thus, a new version V3 is created)

Unfortunately, this has the effect of V1 being replaced by V3, with just V1 details and the URI for the app. The V2 details were replaced, likely because V3 appeared newer.

6. Worse, sync kicks in after a while and V3 replaces V2 entirely. I’m locked out of my own account for Service A.

Originally created by @jerieljan on GitHub (Feb 25, 2020). Due to unfortunate sync timings or poor connectivity, it’s possible to have older cached credentials replace newer synced credentials with the outdated save, because of the “Yes and Save” option in Bitwarden’s Auto-fill. (See the scenario I wrote below) *Wouldn’t it be better if the auto-fill service synced first and checked if the logins have updated before actually saving a new URI with the old login details?* Consider this scenario: 1. I signed up on Service A with a username and password combo and saved it in Bitwarden on Desktop Firefox (let’s call this **V1**) 2. I chose to open Service A on Android via a browser, opened Bitwarden and forced a sync to copy-paste the V1 credentials. 3. After using Service A on Desktop Firefox for a while, I chose to enable Service A’s OTP and applied it to my saved credentials. I also added a custom field to store extra details (let’s call this **V2**). 4. A few hours later, I tried downloading the Android app for Service A. At this point, V1 is still in the phone and sync hasn’t kicked in yet. 5. I used Bitwarden’s auto-fill to login. It prompts me if I should associate the app to the credentials and chose “Yes and Save”. (And thus, a new version **V3** is created) Unfortunately, this has the effect of V1 being replaced by V3, with just V1 details and the URI for the app. *The V2 details were replaced, likely because V3 appeared newer.* 6. Worse, sync kicks in after a while and V3 replaces V2 entirely. I’m locked out of my own account for Service A.

GiteaMirror closed this issue 2025-11-26 22:34:23 -06:00

GiteaMirror commented 2025-11-26 22:34:24 -06:00

Author

Owner

Copy Link

@nathanmerrill commented on GitHub (Mar 3, 2020):

+1 from me. I just lost my 2FA details due to this bug.

@nathanmerrill commented on GitHub (Mar 3, 2020): +1 from me. I just lost my 2FA details due to this bug.

GiteaMirror commented 2025-11-26 22:34:24 -06:00

Author

Owner

Copy Link

@vvolkgang commented on GitHub (Jun 20, 2024):

Issue migrated to https://github.com/bitwarden/mobile/issues/740

@vvolkgang commented on GitHub (Jun 20, 2024): Issue migrated to https://github.com/bitwarden/mobile/issues/740

GiteaMirror referenced this issue 2025-11-26 23:22:28 -06:00

[PR #934] [CLOSED] Migrating ListView to CollectionView #2671

GiteaMirror referenced this issue 2025-11-26 23:24:18 -06:00

[PR #1231] [CLOSED] CollectionView migration #2802

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

android-collections

PM-29829/duplicate-items-created-scanning-qrcode

sdlc/sdk-update

PM-25654-preview-attachment

cx/android-architect-agent

PM-30130-remove-archive-feature-flag

premium-upgrade/PM-33510-billing-manager

llm/add-resolving-sdk-updates-skill

premium-upgrade/PM-33509-billing-repository

QA-1523/sanity-test-saucelabs

release/2026.3-rc48

PM-24380/flight-recorder-redact-hostname

PM-26577-app-links-support

PM-26896-autofill-fix

release/2026.2-rc47

PM-32714/fallback-to-web-vault-host

pr-6572

PM-28834/setting-app-layout-horizonos

release/2026.2-rc46

release/2026.1-rc45

PM-30644/added-logs-for-debug

PM-30644/quicktile-nav-not-showing-migration

minor-gradle-updates

release/2026.1-rc42

release/2026.1-rc44

release/2026.1-rc43

PM-28834/set-landscape-on-horizonos-devices

context-rules

devclarity/update-code-review-command

PM-20026/force-ltr-passwords-and-codes

release/2025.12-rc41

cmcg/testCoverage

PM-29014/talkback-support-for-passwords

release/2025.12-rc40

BRE-1305/publish_test

accept-user-certs

autofill-permissions

release/2025.11-rc39

PM-22479/check-all-certificates-validate-asset-links

release/2025.10-rc38

agalles/android-latest

optimize-test-workflows

tier2-test-sharding

retro-agent

PM-27001/skip-account-selection-only-one-exists-cxp

release/2025.10-rc37

agalles/test-1118

release/2025.10-rc36

PM-20593-token-refresh

QA-1126b/adding-native-sanity-test

release/2025.9-rc35

pm-25933/sdk-update-password

release/2025.9-rc34

release/2025.8-rc33

agalles/20250821-release

debug-release-issues

pm-24249-allow-automated-prs-for-sdk-updates

release/2025.8-rc32

release/WORKFLOW-TEST-2025.8-rc28

agalles/20250807release

release/2025.07-rc25

release/hotfix-v2025.7.0-bwa

pm-23311/export-vault-policy-bypass

release/2025.07-rc24

authenticator-pm-sync-flags-issue

ps/implement-sdk-repository-example

release/hotfix-v2025.6.0-bwpm

release/2025.06-rc21

agalles/automate-android-fastlane-patch

release/2025.05-rc20

release/2025.04-rc19

languages/basque

release/2025.03-rc19

update-readme

qrcode/feature

innovation/archive/pm-19153-archive-items

qrcode/2-ui-fields

qrcode/1-page

hold-on-biometric-prompt-alternative

release-notes-process

release/2025.02-rc16

bwa-monorepo

PM-8223/new-device-verification-ux-improvements

pm-18451/exempt-from-policies

test-bwa

cs-workaround-linked-0-copy

release/2025.01-rc15

release/2025.01-rc14

release/2024.12-rc13

pm-16670/sync-leave-notice

821

PM-16695/backport-lean-more-new-device-verification

km/15084-testing

release/hotfix-v2024.11.7

release/2024.11-rc1

pm-11304/collection-add-item-button

PM-14241/disabling-logs-app-crash

poc/offline-editing

new-version-calc

pm-11649/expired-link-services

pm-6702/add-feature-flag

pm-6702/email-verification-feature

pm-9933/marketing-copy-update

pm-6702/registration-flows

update-templates

pm-6701/email-verification-selfhost-registration

v2026.2.1-bwpm

v2026.2.1-bwa

v2026.2.0-bwpm

v2026.2.0-bwa

v2026.1.1-bwa

v2026.1.1-bwpm

temp-test

v2026.1.0-bwpm

v2026.1.0-bwa

v2025.12.1-bwa

v2025.12.1-bwpm

v2025.12.0-bwa

v2025.12.0-bwpm

v2025.11.1-bwpm

v2025.11.1-bwa

v2025.11.0-bwpm

v2025.11.0-bwa

v2025.10.1-bwa

v2025.10.1-bwpm

v2025.10.0-bwa

v2025.10.0-bwpm

v2025.9.1-bwa

v2025.9.1-bwpm

v2025.9.0-bwa

v2025.9.0-bwpm

v2025.8.1-bwa

v2025.8.1-bwpm

v2025.8.0-bwa

v2025.8.0-bwpm

v2025.7.2-bwa

v2025.7.2-bwpm

v2025.7.1-bwa

v2025.7.1-bwpm

v2025.7.0-bwa

v2025.7.0-bwpm

v2025.6.1-bwpm

v2025.6.0-bwa

v2025.6.0-bwpm

v2025.1.0-bwa

v2025.5.0-bwa

v2025.5.0-bwpm

v2025.5.999

2025.4.0

v2025.4.0

untagged-4731eaadac73f3dfbbb8

v2025.3.0

v2025.2.0

untagged-815a165c5d70ffe75bc7

v2025.1.2

v2025.1.1

v2025.1.0

v2024.12.0

untagged-5a76b6392a4c8998c63a

v2024.11.7

v2024.11.6

v2024.11.5

v2024.11.4

v2024.11.3

v2024.11.2

v2024.11.1

v2024.11.0

v2024.10.2

v2024.10.1

v2024.10.0

v2024.9.0

v2024.8.1

v2024.8.0

v2024.7.3

v2024.7.2

v2024.7.1

v2024.7.0

v2024.6.1

v2024.6.0

v2024.5.1

v2024.4.1

v2024.4.2

v2024.4.0

v2024.3.3

v2024.3.1

v2024.3.0

v2024.2.1

v2024.2.0

v2024.1.1

v2024.1.0

v2023.12.0

v2023.10.0

v2023.9.2

maui-single-project-android

v2023.9.1

v2023.9.0

v2023.8.0

v2023.7.0

v2023.5.0

v2023.4.0

v2023.3.2

v2023.3.1

v2023.3.0

v2023.2.0

v2023.1.0

v2022.11.0

v2022.10.0

v2022.9.1

v2022.9.0

v2022.8.0

v2022.6.2

v2022.6.1

v2022.6.0

v2022.05.0

v2.18.0

v2.17.0

v2.16.4

v2.16.3

v2.16.2

v2.16.1

v2.15.0

v2.14.2

v2.14.1

v2.14.0

v2.13.0

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.0

v2.9.1

v2.9.0

v2.8.2

v2.8.1

v2.8.0

v2.7.2

v2.7.0

v2.6.1

v2.6.0

v2.5.6

v.2.5.5

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.1

v2.3.0

v2.2.8

v2.2.7

v2.2.6

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.0

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.22.1

v1.22.0

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.0

v1.16.0

v1.15.2

v1.15.1

v1.15.0

v1.14.4

v1.14.1

v1.14.0

v1.13.0

v1.12.2

v1.12.1

v1.12.0

v1.11.1

v1.11.0

v1.10.0

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.5

v1.6.1

v1.6.0

v1.5.1

v1.5.0

v1.4.4

v1.4.3

v1.4.0

v1.3.0

v1.2.1

v1.2.0

v1.1.0

v1.0.0

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels

app:authenticator

app:password-manager

bug

bug-passkey

customer-support

duplicate

enhancement

good first issue

help wanted

needs-reply

needs-response

pull-request

Mirrored from GitHub Pull Request

question

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/android#934