You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In short: disabling "Always ask before performing Auto-Type" combined with "Global Auto-Type sequence" is EXTREMELY DANGEROUS and causes filling of wrong credentials to login forms or an unintended leak of credentials to wrong places (e.g. google search/messengers/etc...)
Isn't this behavior expected from the checkbox name?
But at the same time, I don't expect this option should somehow affect "Global Auto-Type shortcut" behavior, because it's... global and should always be followed by a dialog with a list of passwords/usernames
Steps to Reproduce
(optionally) prepare a clean environment and create a new database;
configure any suitable "Global Auto-Type shortcut";
turn off "Always ask before performing Auto-Type";
create an entry with the following title: firefox (or just f);
open Firefox browser and focus on the address bar (for example);
An Auto-Type sequence is performed immediately. There is no way to select another username, password or specific Auto-Type sequence. Instead, credentials of the entry with the title f/firefox are sent to the default search engine (e.g. google)
The same behavior with any login field in the browser. Sometimes this also happens with the Firefox add-on and "Request Global Auto-Type" shortcut configured via the Firefox add-on manager
Hmmmmm.... extremely dangerous, I disagree. Entry level auto type without confirmation is dangerous, which is why we added that prompt for confirmation. I do agree we should probably separate the functionality of that checkbox between global and entry level Auto-Type.
What is also dangerous is combining the enablement of the first two checkboxes for title and url matching with disablement of confirmation.
Entry level auto type without confirmation is dangerous
I think it's hard enough to perform Auto-Type with a shortcut or context menu accidentally, so... yes, that might be dangerous, but the confirmation dialog doesn't help you to see the mistake: neither information about the selected entry nor about the previously active window is in the dialog. That's the reason I've disabled the checkbox: it simply doesn't help me
Anyway, yes, I totally agree that the functionality of the checkbox should be separated
Overview
In short: disabling "Always ask before performing Auto-Type" combined with "Global Auto-Type sequence" is EXTREMELY DANGEROUS and causes filling of wrong credentials to login forms or an unintended leak of credentials to wrong places (e.g. google search/messengers/etc...)
Isn't this behavior expected from the checkbox name?
Absolutely not! I disable this option to prevent the appearance of a very annoying confirmation dialog when I use "Perform Auto-Type" per-entry (ctrl+shift+v). In this (completely unrelated) case, the behavior is expected and desired
But at the same time, I don't expect this option should somehow affect "Global Auto-Type shortcut" behavior, because it's... global and should always be followed by a dialog with a list of passwords/usernames
Steps to Reproduce
firefox
(or justf
);Expected Behavior
A dialog window with a list of usernames and passwords is appeared
Actual Behavior
An Auto-Type sequence is performed immediately. There is no way to select another username, password or specific Auto-Type sequence. Instead, credentials of the entry with the title
f
/firefox
are sent to the default search engine (e.g. google)The same behavior with any login field in the browser. Sometimes this also happens with the Firefox add-on and "Request Global Auto-Type" shortcut configured via the Firefox add-on manager
Context
KeePassXC - Version 2.7.4
Revision: 63b2394
Browser: Firefox 110.0
KeePassXC-Browser Version: 1.8.5.1
Operating System: Manjaro Linux
CPU architecture: x86_64
Kernel: linux 6.1.12-1-MANJARO
KDE Plasma Version: 5.26.5
Windowing System: X11
The text was updated successfully, but these errors were encountered: