Bitwarden’s new auto-fill option adds phishing resistance

The Bitwarden open-source password management service has introduced a new inline auto-fill menu that addresses the risk of user credentials being stolen through malicious form fields.

The issue was highlighted nearly a year ago when Flashpoint analysts demonstrated that it was possible for attackers to inject rogue iframes on vulnerable legitimate sites or subdomains susceptible to hijacking.

Bitwarden's response to the risk at the time was that the iframe auto-fill function should remain available for serving legitimate usage scenarios, like for icloud.com or apple.com, but will continue to be disabled by default.

Users who wanted to enable it would receive a visible warning about the risk of activating the option in the extension menu.

A few days later, the Bitwarden team announced they would add another layer of safety, allowing iframe auto-fills only on trusted sites and subdomains from the origin domain.

Today, the password manager introduced a system that incorporates lessons learned from past security challenges, enabling users to fill login credentials without risking losing their sensitive data to phishing actors.

Specifically, the following safeguards now ensure the security of the auto-fill system:

  • Bitwarden will only fill credentials when a user selects a form field, mitigating the risk of automatic credential filling on malicious websites or iframes without user awareness.
  • Users have the option to password-protect login information, adding another layer of security when using autofill.
  • Extensive third-party penetration testing was conducted and to identify and close security gaps, presumably including those related to iframes and subdomains.

In terms of the user experience, the new inline auto-fill feature was designed to keep auto-filling an easy process by keeping the menu on top of all other visible elements, repositioning it based on page size and scrolling position, allowing keyboard navigation, and only displaying results if the user is logged into the extension.

Autofill menu

By default, the feature is turned off but users can enable it from Bitwarden's extension icon in 'Settings' → 'Auto-fill', where they can set the 'Show auto-fill menu on form fields' dropdown options.

Option

To avoid conflict, it is recommended to turn off auto-filling features on your web browser if it's enabled on the Bitwarden extension.

The password manager features multiple auto-fill options that include keyboard shortcuts, a dedicated context-menu, auto-fill on page load, and manual auto-fill.

Users can also set specific parameters for the trusted URLs they want Bitwarden to provide the auto-fill option.

Related Articles:

Apple to unveil new 'Passwords' password manager app for iPhones, Macs

LastPass is now encrypting URLs in password vaults for better security

Bitwarden launches new MFA Authenticator app for iOS, Android

CISA: Most critical open source projects not using memory safe code

Why Passphrases are Safer and Easier than Passwords