Article Details
Scrape Timestamp (UTC): 2024-02-22 19:16:05.318
Original Article Text
Click to Toggle View
Bitwarden’s new auto-fill option adds phishing resistance. The Bitwarden open-source password management service has introduced a new inline auto-fill menu that addresses the risk of user credentials being stolen through malicious form fields. The issue was highlighted nearly a year ago when Flashpoint analysts demonstrated that it was possible for attackers to inject rogue iframes on vulnerable legitimate sites or subdomains susceptible to hijacking. Bitwarden's response to the risk at the time was that the iframe auto-fill function should remain available for serving legitimate usage scenarios, like for icloud.com or apple.com, but will continue to be disabled by default. Users who wanted to enable it would receive a visible warning about the risk of activating the option in the extension menu. A few days later, the Bitwarden team announced they would add another layer of safety, allowing iframe auto-fills only on trusted sites and subdomains from the origin domain. Today, the password manager introduced a system that incorporates lessons learned from past security challenges, enabling users to fill login credentials without risking losing their sensitive data to phishing actors. Specifically, the following safeguards now ensure the security of the auto-fill system: In terms of the user experience, the new inline auto-fill feature was designed to keep auto-filling an easy process by keeping the menu on top of all other visible elements, repositioning it based on page size and scrolling position, allowing keyboard navigation, and only displaying results if the user is logged into the extension. By default, the feature is turned off but users can enable it from Bitwarden's extension icon in 'Settings' → 'Auto-fill', where they can set the 'Show auto-fill menu on form fields' dropdown options. To avoid conflict, it is recommended to turn off auto-filling features on your web browser if it's enabled on the Bitwarden extension. The password manager features multiple auto-fill options that include keyboard shortcuts, a dedicated context-menu, auto-fill on page load, and manual auto-fill. Users can also set specific parameters for the trusted URLs they want Bitwarden to provide the auto-fill option.
Daily Brief Summary
Bitwarden has rolled out a new inline auto-fill menu to bolster security against credential theft via malicious form fields.
The update is a response to the potential for attackers to leverage rogue iframes on compromised legitimate sites to capture user credentials.
During the initial concern, Bitwarden had disabled iframe auto-fill by default but allowed users to re-enable it with a clear warning of the risks.
The password manager has since integrated additional precautions that permit iframe auto-fill solely on recognized sites and subdomains linked to the origin domain.
The updated auto-fill system aims to provide a secure and convenient user experience, maintaining visibility on the screen and offering keyboard navigation.
While this feature is not enabled by default, users can activate it via Bitwarden settings, with recommendations to disable any similar browser auto-fill services to prevent conflict.
Bitwarden offers various auto-fill methods, including shortcuts and context menus, and allows users to specify trusted URLs for the auto-fill feature.