- Edited
It's not so much a bug, but it looks like a security misconfiguation.
The issue I have is under the Settings > Passwords.
You can manipulate password settings without proper authentication.
This could lead to anyone simply disabling password authentication in 2 clicks, and using the passwords saved in Orion without anything other than access to the computer.
Only Orion Passwords are affected from what I see.
I expect, at least, one barrior before manipulating password settings.
You can hide these options in the Manage Passwords... section after the Touch ID verification.
You can make the browser require some kind of verification before applying changes.
The attack surface is low but this is a signifigant issue.
Version 0.99.130.1-beta (WebKit 621.1.2.111.4)
Sequoia (15)