Closed Bug 1930976 Opened 6 months ago Closed 6 months ago

Switching to task manager bypasses screen lock for passwords

Categories

(Firefox for Android :: Logins, defect)

Product:
Firefox for Android
Component:
Logins
Version:
Firefox 132
Platform:
All
Android
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1928779

People

(Reporter: github, Unassigned)

Details

(Keywords: reporter-external)

Steps to reproduce:

  1. Open the 3 dot menu next to the URL bar
  2. Select Passwords
  3. Android screen lock opens requiring the Android pin code
  4. Swipe up from the bottom edge of the screen to open Androids task manager
  5. The Firefox preview now shows the password list
  6. Select Firefox from the task manager
  7. Open any password entry
  8. Click the eye to reveal the password

Actual results:

The password list containing account names is shown, and passwords can be revealed without further password prompts

Expected results:

Accounts and passwords should not be revealed. Possibly by returning to the main window.

Tested with Firefox 132 from Play Store (build id 20241021175835) on GrapheneOS 15 build 2024110700. Neither the passcode prompt or the login screen appear on a screen recording, but I might be able to record with a different device later.

When I use the wifi password share function in Android that also uses the same pin lock flow, following the same steps doesn't give me password access, but kicks me one step backwards in the flow instead.

1909146 might be slightly related to this

Status: UNCONFIRMED → RESOLVED
Closed: 6 months ago
Duplicate of bug: CVE-2024-11703
Resolution: --- → DUPLICATE
Group: mobile-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.