Other email account's login info displayed briefly immediately after login

Browser Support Desktop Support
1

I have a second, occasionally-used email account with one of the encryption-friendly webmail providers.

When I logged in to the second account in a Brave TOR window over the weekend I noticed that after entering my login and password for that account and pressing ‘return’, a faint image of my login credentials for the other account were briefly visible on-screen.

I don’t know what that implies, but am mentioning it in case it possibly indicates a security leak in Brave’s TOR windows.

It hasn’t ever happened when I’ve done the same in the TOR browser.

Mac OS 10.14.3 (Mojave)
​​Version 1.52.102 Chromium: 113.0.5672.126 (Official Build) beta (x86_64)

2

Hi @mk7z thanks for reporting.
We have passed this information along to our team for review.

1 Like
3

@mk7z Just so I understand you correctly, you have two separate email accounts at the same provide, say email.com for the sake of argument. So you normally use a@email.com, but you also have b@example.com that you rarely use.

You opened a Tor window in order to log into email.com as b@email.com, and you briefly saw the credentials pop up for a@email.com in the browser? Is that correct?

Do you have a password manager extension installed? Or did you use the built-in Brave password manager to save the credential for a@email.com?

2 Likes
4

@fmarier Yes, that’s it exactly, except that it happened when I logged out of the second account. Sorry for the error in my original post. What I saw flash on the screen was the login ID for the other account (the one I normally use), immediately after I logged out of the rarely-used account.

The text that flashed on the screen was in a grayed-out font, not the normal black font.

In another login to the second account since my post, it didn’t happen.

I don’t use a password manager.

Thanks.

5

And do you have anything turned on in brave://settings/autofill?

Screenshot from 2023-06-05 11-27-20
Screenshot from 2023-06-05 11-27-20771×238 11.3 KB

The Password Manager section will show you anything that may be saved locally, but also the Addresses and more section could in theory pick up your email address and save it locally, if that feature is enabled.

Screenshot from 2023-06-05 11-27-25
Screenshot from 2023-06-05 11-27-25771×276 16.5 KB

1 Like
6

Nothing turned on or enabled in either Password Manager or Addresses and more.

7

Thanks for the extra details @mk7z . I’m out of ideas as to what might have caused what you saw.

If you manage to reproduce it again, we can investigate, but I’m afraid that without steps to reproduce this we don’t have much to go on.

2 Likes
8

@fmarier I thought of waiting for it to recur before the original post, and decided to do so primarily to see whether it had been reported by others.

The first thought I had when it happened was wondering whether the email provider was monitoring logins against data that would indicate multiple accounts by the same user. As far as I know, that would not be easy to do with TOR circuits.

Thanks for looking into it.

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.