clients icon indicating copy to clipboard operation
clients copied to clipboard
verified publisher icon bitwarden

Password History is not locked behind master password, so all passwords can be viewed without the master password

Open hammzj opened this issue 1 year ago • 1 comments

Steps To Reproduce

  1. Create a new Login item with a password
  2. Enable "Master Password re-prompt"
  3. Change the password a few times
  4. Close the vault
  5. Reopen the vault
  6. Open the Login item but do not give Master Password
  7. Click on the number by "Password history" at the bottom

Expected Result

The "Master Password" prompt should be displayed and the history locked behind it

Actual Result

All passwords can be viewed without needing the master passwords

Screenshots or Videos

No response

Additional Context

No response

Operating System

macOS

Operating System Version

14.4.1

Web Browser

Chrome, Brave

Browser Version

Version 1.65.122 Chromium: 124.0.6367.82 (Official Build) (arm64)

Build Version

2024.4.1

Issue Tracking Info

  • [X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

hammzj avatar May 08 '24 17:05 hammzj

Just checked -- this does not show the current password, but only the old ones that were previous. However, it still makes sense to lock these behind a master password, as they could contain personal or identifiable details.

hammzj avatar May 08 '24 17:05 hammzj

Hello there,

Master password re-prompt will behave slightly differently depending on which app you're using, for example:

  • In the web app, accessing or editing anything about a vault item with this enabled will require you to re-enter your master password.

  • On browser extensions, desktop apps, and mobile apps, only viewing hidden fields (e.g. passwords, hidden custom fields, credit card numbers) will require you to re-enter your master password. Editing anything about the item will also require you to re-enter your master password.

Krychaz avatar May 09 '24 14:05 Krychaz

Hello, this is in regards to the Brave (Chromium) browser extension. I am able to open the item, and viewing a password requires the master password prompt as expected. However, it does not require it if I click on "Password History" at the bottom of the item pane. While I understand that the history does not include the current password, it is not secure to allow direct access to the password history without re-prompting with the master password.

hammzj avatar May 09 '24 15:05 hammzj

Hello, Security note, have same problem, with 1 extra problem, if you rename a personal field, history show your current hidden value without ask master password.

khenam avatar Aug 20 '24 11:08 khenam