[BUG] Strongbox Autofill unlock with system-profile password instead of Strongbox password when Touch ID enabled

Question

[BUG] Strongbox Autofill unlock with system-profile password instead of Strongbox password when Touch ID enabled

Closed this issue 4 months ago · 3 comments

I have ensured that:

I am running the latest version of Strongbox on the App Store by searching for Strongbox and clicking into it to see the Update button (or not)
I have performed a full restart of my device no matter how annoying that is
macOS Sonoma 14.5
Strongbox Version: 1.60.6

I setup Strongbox to only use Touch ID or Strongbox or Master-Password for macOS to unlock app and database! This is working fine and without any issues.
But when logged in and working with Strongbox and trying to fill a password within Safari I do need to use Touch ID again to fill the credentials (which is fine in general), but it is 'not' asking for the Master-Password! When clicking 'use password' I need to enter my system-profile password of my Mac!

Steps to reproduce the behavior:

Have Touch ID enabled on macOS, along with a profile password.
Go to some website
fill the credentials via Safari Auto-Fill with Strongbox
In the Touch ID popup, click "Use Password..."
You can now type in your system-profile password of your Mac (and not the Strongbox master password) and click "OK"
the system fills the password!

A clear and concise description of what you expected to happen.

I want to solely use my Master-Password from Strongbox to enter credentials and not any other password!

Add any other context about the problem here.

nearly the same bug is existent within Bitwarden (but not within 1Password) - see here: bitwarden/clients#2592

Answer 1 · 2024-07-14T11:38:16.000Z

Hi @pictosun - I'm not seeing that. Would you be able to send a screen recording? I see a button for "Manual Unlock" which falls back to asking for the database master password. I don't see a "Use Password" button so I must be doing something wrong.

By any chance is your database already unlocked in the background when you see this request?

Answer 2 · 2024-07-14T12:28:47.000Z

By any chance is your database already unlocked in the background when you see this request?

Hi @strongbox-mark - this is the case. Does it only work, when the database is locked?

Answer 3 · 2024-07-15T05:15:32.000Z

OK, yeah that makes more sense, your database is already unlocked and so entering your system master password is not unlocking your database but merely allowing an AutoFill.

The reason you see this dialog is nothing to do with Strongbox, Apple's AutoFill subsystem pops up this Touch ID prompt, not Strongbox. It does this when Strongbox tells the system it can provide the credential without any user interaction which it does when it sees the database is unlocked and there is no need to interrupt the user. In this case, probably for some security reasons, it asks the user to do a Touch ID (or enter the profile password). Does that make sense?