When entering the master password, clicking the eye icon to show the password, changes the keyboard to include word suggestions / text prediction. (This may also apply to other places with the "show password" option.) My concern is that this might also cause the keyboard to use what the user types (in this case his or her password) to train word suggestions / text prediction.
However, I don't know enough about mobile platforms to know under what conditions the user's input is used for training, so I might wrong about this being a security hole. I would be grateful for any information about this.
I note that the code toggles the IsPassword property to control whether to show the password. The fix might be as simple as also setting IsTextPredictionEnabled to false on the text control. Though again this depends on exactly what controls whether user input is used for training word suggest / text predictions.
Tested On
- Android (Lineage) version 9
- BitWarden version 2.1.1
Steps to Reproduce:
- Logout of BitWarden and then start BitWarden so you are on the "Verify Master Password" screen.
- Click the "eye" icon so the password is shown.
- Click in the text box so they on-screen keyboard appears.
- Start typing a password.
Result
- The on-screen keyboard displays word suggestions and text completions based on the typed password.
Vulnerabilities:
- If word suggest involves querying outside services (I don't know if this is the case), this results in sending the thus far typed password to those outside services.
- If the typed password is used to train word suggest (I don't know if this is the case), this results in information about the password being stored in that training data.
- If the user selects one of those suggestions and that fact is used to train word suggest (I don't know if this is the case), this results in information about the password being stored in that training data.
When entering the master password, clicking the eye icon to show the password, changes the keyboard to include word suggestions / text prediction. (This may also apply to other places with the "show password" option.) My concern is that this might also cause the keyboard to use what the user types (in this case his or her password) to train word suggestions / text prediction.
However, I don't know enough about mobile platforms to know under what conditions the user's input is used for training, so I might wrong about this being a security hole. I would be grateful for any information about this.
I note that the code toggles the
IsPasswordproperty to control whether to show the password. The fix might be as simple as also settingIsTextPredictionEnabledto false on the text control. Though again this depends on exactly what controls whether user input is used for training word suggest / text predictions.Tested On
Steps to Reproduce:
Result
Vulnerabilities: