Able to view TOTP code even though master password re-prompt is enabled

[trevorbayless]

Steps To Reproduce

1. Go to a vault item which has Master password re-prompt enabled.
2. Click to view the item.
3. The TOTP code is visible even though we have not been re-prompted for the master password.

Expected Result

I would expect to not be able to view the TOTP code until I'm re-prompted to enter the master password.

Actual Result

I'm able to view the TOTP code on a vault item which has Master password re-prompt enabled. However, if you attempt to copy the TOTP code, you are then re-prompted for the master password. This functionality does not match the website implementation, nor the mobile application implementation. I would expect to have the TOTP code hidden until I'm re-prompted for the master password.

Screenshots or Videos

https://user-images.githubusercontent.com/3620552/138895208-84db8fc1-1268-4295-9a65-451358a18e62.mp4

Additional Context

No response

Operating System

Linux

Operating System Version

No response

Web Browser

Firefox

Browser Version

No response

Build Version

1.53.0

[flipixwork]

1.55.0

[hilariocoelho]

This is a big security issue that should be addressed asap

[flyingstar16]

+1 this is pretty bad. Still an issue on 1.57.0

[hilariocoelho]

@mimartin12 @djsmith85 @Hinton

[dakotagrvtt]

I've noticed this also. On Brave browser 1.49.128 (Chromium: 111.0.5563.110) in Windows 10:

• When clicking the copy button on the screen, it will prompt for the master password, however it will still copy to your clipboard and can be pasted without entering the master password.

[wnelson03]

@joshuabjordan any updates? This doesn't seem like intended behavior given that if you click the copy button for TOTP code it requires the master password, yet it's displaying the TOTP code without any redaction prior to entering the master password.