You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have both K-9 Mail and Keepass2Android installed. After entering the Account Settings...Fetching mail...Incoming Server settings but not changing anything, I pressed the back button. At this point Keepass2Android offered to save my password. If I accept, the password is transferred into Keepass2Android to save.
The interface of K-9 Mail on the settings screen only shows dots in the password field. Also, the password may not be highlighted and copied using the normal Android interface. So, I assume that the intent is to not expose saved passwords.
Security bug: The password is exposed.
I do not think this is a problem with Keepass2Android since the purpose of that software as a password manager is to save passwords from other applications. Though, I would not expect it to be able to fetch previously entered passwords.
Expected behavior
Nothing. The password should not be exposed unless it is being freshly entered.
Actual behavior
The previously saved password was found by Keepass2Android.
Steps to reproduce
Ensure that Keepass2Android (or potentially other password managers) are installed and properly configured
Enter a K-9 server settings page that has a previously saved password
Press the back button
Environment
K-9 Mail version: 5.600
Android version: 8.0.0
Account type (IMAP, POP3, WebDAV/Exchange): IMAP
Keepass2Android version: 1.05d
The text was updated successfully, but these errors were encountered:
I have both K-9 Mail and Keepass2Android installed. After entering the Account Settings...Fetching mail...Incoming Server settings but not changing anything, I pressed the back button. At this point Keepass2Android offered to save my password. If I accept, the password is transferred into Keepass2Android to save.
The interface of K-9 Mail on the settings screen only shows dots in the password field. Also, the password may not be highlighted and copied using the normal Android interface. So, I assume that the intent is to not expose saved passwords.
Security bug: The password is exposed.
I do not think this is a problem with Keepass2Android since the purpose of that software as a password manager is to save passwords from other applications. Though, I would not expect it to be able to fetch previously entered passwords.
Expected behavior
Nothing. The password should not be exposed unless it is being freshly entered.
Actual behavior
The previously saved password was found by Keepass2Android.
Steps to reproduce
Environment
K-9 Mail version: 5.600
Android version: 8.0.0
Account type (IMAP, POP3, WebDAV/Exchange): IMAP
Keepass2Android version: 1.05d
The text was updated successfully, but these errors were encountered: