Brave Browser Reuses Password Lock for Opening Lock after Accessing Passwords, Cancel Button then Unlocks Browser

Troubleshooting technical issues is much easier when both the user and support agent practice clear communication. For this reason, we have provided the template below for you to fill out with information about your issue. Please provide as much detail as possible so we can most efficiently resolve your problem.


Description of the issue:
After attempting to access your saved passwords, iOS Brave Browser will use the lock screen for the passwords, with the cancel button, for ALL authentications, until the app is restarted from the app switcher. A person unsuspecting of this vulnerability can then have their browser accessed by anyone by simply pressing Cancel when prompted for authentication.
How can this issue be reproduced?

  1. Make sure your Browser Lock is turned on, and access your saved passwords
  2. Go to the iOS home menu, and reopen the app
  3. You will now see the interface for the password lock, with the cancel button
  4. Press cancel and snoop around on the person’s tabs because this browser’s lock just got bypassed

It will only return to using the browser lock WITHOUT the cancel button if you close and restart the app from the app switcher

Expected result:
There should NEVER be a cancel button when opening the browser.
Brave Version( check About Brave):
1.56 (23.8.4.21). Latest as of this posting.
Mobile Device details
iPad Mini 5, iPadOS 16.6
Additional Information:
I posted a video demonstrating this epic fail of a security flaw. Link is here: https://youtu.be/up8634utByc

The fix will come in 1.57 later this month, thanks for the report.
Details here https://github.com/brave/brave-ios/issues/7893

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.