Cognito Managed Login - password plaintext is visible in iOS Safari, even if 'Show Password' box is unchecked

[dylanmrowe]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

Describe the bug

Reporting here because I can't find a dedicated place for Cognito Hosted UI (or managed login) bug reporting.

On iOS mobile devices, in Safari, during Signup, the entire password and password confirmation plaintext are visible to anyone looking at the screen while filling out the sign-up form (even if 'Show password' is unchecked). Closing the keyboard properly redacts the password, but the passwords are visible even while typing in other form fields.

This behavior doesn't happen in mobile Chrome, nor Safari on a Macbook Pro (Sonoma 14.7)

The cause is most likely iOS's automatic-password-generation manipulation of the fields (note the yellow-highlighted password fields in the screenshot, which doesn't happen in Chrome)

See this discussion: https://discussions.apple.com/thread/255817271?sortBy=rank

I'm not sure if there's a way for AWS Managed Login to get around that, but it's a significant concern for all iOS users using Safari.

Expected behavior

The password should always be replaced by dots, unless the 'Show Password' box is checked.

Reproduction steps

1. On an iOS device or simulator, in Safari, go to this Cognito managed login URL (temporary, may get torn down within a few days): https://demo-app-auth.auth.us-east-1.amazoncognito.com/oauth2/authorize?response_type=code&client_id=3097psgbaj2rsfbkfaqldbj1tq&redirect_uri=demo-app%3A%2F%2Flogin
2. Tap 'Create an Account'
3. Enter text into either password field (via automatic generation OR manually)

Mobile Device

iPhone 13 mini

Mobile Operating System

iOS 18.1.1

Mobile Browser

Safari

Mobile Browser Version

18.1.1

Additional information and screenshots

[HuiSF]

Hi @dylanmrowe thanks for reporting this issue, I can reproduce this with the Safari browser on iPhone. Unfortunately Amplify JS library doesn't own the Managed Login UI, I will bring this to Amazon Cognito team to follow up.

[HuiSF]

Hi @dylanmrowe I did some more testing, I believe this unexpected behavior is caused by the iOS Passwords app "Create Strong Password" feature. As you can see in your screenshot, the password fields have the yellow background indicating auto-filling has happened when this feature kicks in it makes the text visible. I can reproduce this on any password typed inputs.

If you accept the suggested strong password by the system, then delete the populated text, the yellow background will be gone, and if you start typing again, the password text is invisible as expected.

[dylanmrowe]

@HuiSF I think clicking 'Not Now' should be enough to turn off the "Create Strong Password" feature on iOS. Interesting that you have to accept it, then delete it, in order to get the full password to stop displaying.

Definitely sounds like an iOS bug. Hopefully Apple is already on top of this, but if not, some extra prodding from the Cognito team could help.

[cshfang]

@dylanmrowe We have engaged the Cognito team regarding this but, at this time, it seems the issue is widely reproducible outside of Cognito (relevant question from Apple community: https://discussions.apple.com/thread/255787112?answerId=260810125022&sortBy=rank#260810125022)

Given that this issue is not specific to Amplify, I am inclined to close this ticket but please feel free to reopen if there is something actionable you think we may be missing here. Thanks!