Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Don't ask before performing Auto-Type" causes password leak #9238

Open
oficsu opened this issue Mar 13, 2023 · 2 comments
Open

"Don't ask before performing Auto-Type" causes password leak #9238

oficsu opened this issue Mar 13, 2023 · 2 comments
Labels
feature: Auto-Type ux

Comments

@oficsu
Copy link

oficsu commented Mar 13, 2023
edited
Loading

Overview

In short: disabling "Always ask before performing Auto-Type" combined with "Global Auto-Type sequence" is EXTREMELY DANGEROUS and causes filling of wrong credentials to login forms or an unintended leak of credentials to wrong places (e.g. google search/messengers/etc...)

Isn't this behavior expected from the checkbox name?

Absolutely not! I disable this option to prevent the appearance of a very annoying confirmation dialog when I use "Perform Auto-Type" per-entry (ctrl+shift+v). In this (completely unrelated) case, the behavior is expected and desired

But at the same time, I don't expect this option should somehow affect "Global Auto-Type shortcut" behavior, because it's... global and should always be followed by a dialog with a list of passwords/usernames

Steps to Reproduce

  1. (optionally) prepare a clean environment and create a new database;
  2. configure any suitable "Global Auto-Type shortcut";
  3. turn off "Always ask before performing Auto-Type";
  4. create an entry with the following title: firefox (or just f);
  5. open Firefox browser and focus on the address bar (for example);
  6. perform Auto-Type with the shortcut

Expected Behavior

A dialog window with a list of usernames and passwords is appeared

Actual Behavior

An Auto-Type sequence is performed immediately. There is no way to select another username, password or specific Auto-Type sequence. Instead, credentials of the entry with the title f/firefox are sent to the default search engine (e.g. google)

The same behavior with any login field in the browser. Sometimes this also happens with the Firefox add-on and "Request Global Auto-Type" shortcut configured via the Firefox add-on manager

Context

KeePassXC - Version 2.7.4
Revision: 63b2394

Browser: Firefox 110.0
KeePassXC-Browser Version: 1.8.5.1

Operating System: Manjaro Linux
CPU architecture: x86_64
Kernel: linux 6.1.12-1-MANJARO

KDE Plasma Version: 5.26.5
Windowing System: X11
@oficsu oficsu added the bug label Mar 13, 2023
@droidmonkey
Copy link
Member

Hmmmmm.... extremely dangerous, I disagree. Entry level auto type without confirmation is dangerous, which is why we added that prompt for confirmation. I do agree we should probably separate the functionality of that checkbox between global and entry level Auto-Type.

What is also dangerous is combining the enablement of the first two checkboxes for title and url matching with disablement of confirmation.

@oficsu
Copy link
Author

oficsu commented Mar 14, 2023

Entry level auto type without confirmation is dangerous

I think it's hard enough to perform Auto-Type with a shortcut or context menu accidentally, so... yes, that might be dangerous, but the confirmation dialog doesn't help you to see the mistake: neither information about the selected entry nor about the previously active window is in the dialog. That's the reason I've disabled the checkbox: it simply doesn't help me

Anyway, yes, I totally agree that the functionality of the checkbox should be separated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature: Auto-Type ux
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@droidmonkey @oficsu