Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password History is not locked behind master password, so all passwords can be viewed without the master password #9089

Open
1 task done
hammzj opened this issue May 8, 2024 · 3 comments
Open
1 task done

Password History is not locked behind master password, so all passwords can be viewed without the master password #9089

hammzj opened this issue May 8, 2024 · 3 comments
Labels
browser Browser Extension bug

Comments

@hammzj
Copy link

hammzj commented May 8, 2024

Steps To Reproduce

  1. Create a new Login item with a password
  2. Enable "Master Password re-prompt"
  3. Change the password a few times
  4. Close the vault
  5. Reopen the vault
  6. Open the Login item but do not give Master Password
  7. Click on the number by "Password history" at the bottom

Expected Result

The "Master Password" prompt should be displayed and the history locked behind it

Actual Result

All passwords can be viewed without needing the master passwords

Screenshots or Videos

No response

Additional Context

No response

Operating System

macOS

Operating System Version

14.4.1

Web Browser

Chrome, Brave

Browser Version

Version 1.65.122 Chromium: 124.0.6367.82 (Official Build) (arm64)

Build Version

2024.4.1

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
@hammzj hammzj added browser Browser Extension bug labels May 8, 2024
@hammzj
Copy link
Author

hammzj commented May 8, 2024

Just checked -- this does not show the current password, but only the old ones that were previous. However, it still makes sense to lock these behind a master password, as they could contain personal or identifiable details.

@Krychaz
Copy link
Member

Krychaz commented May 9, 2024

Hello there,

Master password re-prompt will behave slightly differently depending on which app you're using, for example:

  • In the web app, accessing or editing anything about a vault item with this enabled will require you to re-enter your master password.

  • On browser extensions, desktop apps, and mobile apps, only viewing hidden fields (e.g. passwords, hidden custom fields, credit card numbers) will require you to re-enter your master password. Editing anything about the item will also require you to re-enter your master password.

@hammzj
Copy link
Author

hammzj commented May 9, 2024

Hello, this is in regards to the Brave (Chromium) browser extension. I am able to open the item, and viewing a password requires the master password prompt as expected. However, it does not require it if I click on "Password History" at the bottom of the item pane. While I understand that the history does not include the current password, it is not secure to allow direct access to the password history without re-prompting with the master password.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
browser Browser Extension bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hammzj @Krychaz