Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Master password re-prompt" can be bypassed in the browser extension #13959

Open
1 task done
jenda69 opened this issue Mar 24, 2025 · 2 comments · May be fixed by #13969
Open
1 task done

"Master password re-prompt" can be bypassed in the browser extension #13959

jenda69 opened this issue Mar 24, 2025 · 2 comments · May be fixed by #13969
Assignees
@blackwood
Labels
browser Browser Extension bug

Comments

@jenda69
Copy link

jenda69 commented Mar 24, 2025

Steps To Reproduce

Easy way:

  1. Go to a website with "Master password re-prompt" enabled
  2. Click the login field. It shows saved login selection.
  3. Click the little blue "card" on the right of the list.
  4. This opens the vault with the View login page where you can easily view and copy username and password.

A bit more complicated way:

  1. Go to a website with "Master password re-prompt" enabled
  2. Click the login field. It shows saved login selection.
  3. Click the login. It opens a window asking for the master password.
  4. Open devtools (F12) and go to console.
  5. Type document.getElementById("password").value

Expected Result

When "Master password re-prompt" is enabled, I'd expect I wouldn't be able to access the password without the master password.

Actual Result

I accessed the password without the master password.

Screenshots or Videos

No response

Additional Context

No response

Operating System

Windows

Operating System Version

No response

Web Browser

Vivaldi

Browser Version

7.2.3621.67

Environment Versions

Verze: 2025.3.0

SDK: 'main (6008e90)'

Verze serveru: 2025.3.0

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
@jenda69 jenda69 added browser Browser Extension bug labels Mar 24, 2025
@S-Kakar
Copy link

S-Kakar commented Mar 24, 2025

Thank you for reporting this issue! We've added this to our internal tracking system.
ID: PM-19454

@daniellbw
Copy link

Hi there,

Thank you for your report!

I was able to reproduce this issue, and I have flagged this to our engineering team.

If you wish to add any further information/screenshots/recordings etc., please feel free to do so at any time - our engineering team will be happy to review these.

Thanks once again!

@djsmith85 djsmith85 linked a pull request Mar 24, 2025 that will close this issue
Viewing a cipher from autofill menu should retrigger the password reprompt. #13969
Open
@jprusik jprusik self-assigned this Mar 24, 2025
@blackwood blackwood assigned blackwood and unassigned jprusik Mar 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@blackwood blackwood

Labels
browser Browser Extension bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Viewing a cipher from autofill menu should retrigger the password reprompt. bitwarden/clients
5 participants
@jenda69 @jprusik @blackwood @S-Kakar @daniellbw