Passwords stored in Brave are not private

Description of the issue:
Any password stored in Brave can be accessed if someone gains access to the device.

How can this issue be reproduced?
Ensure you have at least one password/login stored in Brave before attempting to reproduce this issue.

  1. Open Brave
  2. Open the Settings menu
  3. Under “Security”, you will find “Logins & Passwords”
  4. Tap on any login.
  5. Note that when you click “reveal” on the password, it prompts you for Face ID, Touch ID, or a system password
  6. When tapping on “copy”, there is no authentication or verification and it simply copied the password to your clipboard.

Expected result: Tapping “copy” would also require authentication (Face ID, Touch ID, System Password).

Brave Version( check About Brave): Version 1.45.2 (

Mobile Device details Apple iPhone 13, iOS 16.1.1


@michal and @Mattches Just wanted to make sure to tag the both of you here. I just confirmed this on my iPhone. For some reason when you go to SettingsLogins & Passwords and then choose any of the saved logins, when you click on password you get option for Copy and Reveal. If you go to `Reveal it will open Face Recognition or whichever security you have.

However, if you choose Copy instead, it works as OP mentioned. It will copy directly to your clipboard the password without Facial Recognition or any security prompt. So anyone with access would be able to copy and then paste somewhere to see what the password was.

On Android, this isn’t the case. If you try to Copy it would make you Verify your identity using your lock screen code or whatever.

Not sure how big of a deal it is in the long run, but it definitely seems to be an oversight.

1 Like

Fortunately in Windows (10) it asks for the login/admin password even for the “copy” command. But yes, it’s something that must be corrected on Brave for iOS.

1 Like

Wanted to give an fyi. I spoke directly with Mattches on this and he said was notifying team about it. So while no further commenting here, it was acknowledged and is supposedly being looked into

Any password stored in any browser can be accessed if someone gains access to the device.

That’s why passwords should never be stored in any device, or, a specific password manager should be used with a very strong key.

Sounds like a bug, we will try to fix it in 1.47, ticket to track it is here

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.