Passwords stored in Brave are not private

crabs · December 17, 2022, 6:32pm

Description of the issue:
Any password stored in Brave can be accessed if someone gains access to the device.

How can this issue be reproduced?
Ensure you have at least one password/login stored in Brave before attempting to reproduce this issue.

Open Brave
Open the Settings menu
Under “Security”, you will find “Logins & Passwords”
Tap on any login.
Note that when you click “reveal” on the password, it prompts you for Face ID, Touch ID, or a system password
When tapping on “copy”, there is no authentication or verification and it simply copied the password to your clipboard.

Expected result: Tapping “copy” would also require authentication (Face ID, Touch ID, System Password).

Brave Version( check About Brave): Version 1.45.2 (22.11.29.0)

Mobile Device details Apple iPhone 13, iOS 16.1.1

Saoiray · December 21, 2022, 8:32pm

@michal and @Mattches Just wanted to make sure to tag the both of you here. I just confirmed this on my iPhone. For some reason when you go to Settings → Logins & Passwords and then choose any of the saved logins, when you click on password you get option for Copy and Reveal. If you go to `Reveal it will open Face Recognition or whichever security you have.

However, if you choose Copy instead, it works as OP mentioned. It will copy directly to your clipboard the password without Facial Recognition or any security prompt. So anyone with access would be able to copy and then paste somewhere to see what the password was.

On Android, this isn’t the case. If you try to Copy it would make you Verify your identity using your lock screen code or whatever.

Not sure how big of a deal it is in the long run, but it definitely seems to be an oversight.

Agent_Suave · December 25, 2022, 4:55pm

Fortunately in Windows (10) it asks for the login/admin password even for the “copy” command. But yes, it’s something that must be corrected on Brave for iOS.

Saoiray · December 28, 2022, 8:50am

Wanted to give an fyi. I spoke directly with Mattches on this and he said was notifying team about it. So while no further commenting here, it was acknowledged and is supposedly being looked into

rodrige · December 28, 2022, 9:19am

Any password stored in any browser can be accessed if someone gains access to the device.

That’s why passwords should never be stored in any device, or, a specific password manager should be used with a very strong key.

michal · January 3, 2023, 10:37am

Sounds like a bug, we will try to fix it in 1.47, ticket to track it is here https://github.com/brave/brave-ios/issues/6675

system · February 2, 2023, 10:37am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Password glitch	4	309	October 9, 2022
Saving passwords in Brave in a more safe way on mobile Desktop Requests	1	3090	August 9, 2019
How to show/copy saved passwords without creating a lock screen Mobile Support android	3	334	February 13, 2024
Entering passwords in iOS iOS Requests	0	404	January 18, 2020
iOS passwords?!?!? Mobile Support ios	3	6034	May 7, 2020
How to access iOS saved passwords? Mobile Support ios	5	2663	September 5, 2019
Reveal passwords on ios App Mobile Support ios	2	488	November 11, 2019
Trying to see saved passwords on Chromebook	3	352	January 11, 2023

Passwords stored in Brave are not private

Related Topics