Don’t use autofill on your password manager
Updated on 3/17/23: Bitwarden says it will be releasing changes next week to its autofill behavior, which we’ve outlined at the end of this article along with revised recommendations for steps you can take to keep your passwords safe online. However, until that update goes live, our original report and advice stand.
Password managers have long offered autofill—the ability for the service or app to automatically fill in login forms with your user ID and password on saved websites. But the feature carries risk, and for popular service Bitwarden, the danger is high enough that you should avoid autofill all together.
Generally, security experts advise turning off the most proactive version of autofill, where your credentials automatically get filled in on saved sites. If a website is compromised, a malicious actor can capture your login info before you visually confirm the page looks normal.
But as security firm Flashpoint.io detailed in a blog post last week, Bitwarden’s autofill has a deeper vulnerability than other services. On websites that use iframes—where a page loads HTML elements from a different webpage—login forms hosted on an external website are still filled in with the saved site’s user ID and password info. If any of those external HTML elements become compromised (like advertising, a known vector for exploits), the result could be stolen login data.
This permissiveness isn’t by accident, but design: In the company’s documentation about the issue, which was published in late 2018, Bitwarden states that its goal is to encourage better adaption to a password manager. The company gives the example of iCloud as a major website that still uses iframes to connect to apple.com for login.
This vulnerability exists whether you have Bitwarden preemptively fill out login forms or you manually trigger autofill; Flashpoint’s testing showed that either usage of autofill carries the same risk. Bitwarden also doesn’t warn users when they’re filling out a form hosted on a different page or site, and gives a free pass to subdomains of a website, too. Meanwhile, other password managers look like safer options, as they remain stricter with their autofill policies. During Flashpoint’s spot check of rivals, they only autofilled for the site saved in the vault entry, or at least flashed a warning if an iframe pulled in an external form.
As a password manager user, you can take two major steps to protect yourself from this kind of vulnerability. (And no, the answer isn’t to never use a password manager.)
- Leave preemptive autofill off. Good services and apps have this disabled by default—leave it that way for better security.
- Use a service or app that won’t autofill forms hosted on external sites, or at the very least, will warn you that you’re about to do so.
If you decide to stick with Bitwarden, which is an otherwise reliable service and our favorite free password manager, you should also leave off preemptive autofill. And until next week (see “Update: March 17, 2023” below), you should take this precaution as well:
- Only use manually triggered autofill on sites you can reasonably trust. For example, Apple should have the resources to guard against compromised HTML elements. (If they fail to protect users against this kind of exploit, everyone’s in far bigger trouble.)
Dominik Tomaszewski / Foundry
Unfortunately, Bitwarden users don’t seem able to bypass this autofill issue when copy and pasting login info from the password manager into a form. If an externally hosted form is compromised, it’s compromised. So until the Bitwarden update gets pushed live next week [ed: see the 3/17/23 update note below], it doesn’t matter how how you input your login details. You won’t know if it’s an internally or externally hosted form—and that’s the issue.
As for official websites that are compromised, nothing can yet protect against that situation. That’s why random passwords for each and every site, service, and app are so important—they keep the damage limited to that one place. And like it or not, the best way to keep track of tens (if not hundreds) of credentials is a password manager. Choose (and use) one judiciously, and you should avoid most trouble.
Update: March 17, 2023
Bitwarden says it’s releasing an update next week that changes autofill behavior on pages with iframe elements. According to Gary Orenstein, Chief Customer Officer at Bitwarden, the service will make a distinction between “trusted” domains (any URL saved by the user to a password vault entry or part of Bitwarden’s default list of known, legitimate sites) and “untrusted” domains (web addresses that don’t match info saved in your password vault or Bitwarden’s default list of legitimate sites).
For trusted domains, when you open a page with an iframe login form, autofill will work as before—user credentials automatically fill in. This will happen either immediately upon page load if you have the “Autofill on page load” feature turned on (which I’ve called “preemptive autofill” above, and remains off by default), or if you manually trigger the autofill.
For untrusted domains, Bitwarden will react in one of two ways. If you’ve enabled the “Autofill on page load” feature (which I’ve called “preemptive autofill” above), the form will not automatically be filled in. If you manually trigger autofill, Bitwarden will pop up a warning with the URL and ask whether to proceed or cancel. These alerts will always trigger unless a user adds the URL to the password vault entry. Unsecure sites (http) related to a trusted domain will also cause a warning to appear.
Bitwarden is, however, keeping the same default matching rules as before this update—any URL that matches a base domain (e.g., www.google.com and keep.google.com) saved to your password vault or on Bitwarden’s default match list will be considered trusted. That means subdomains for trusted domains still get a pass.
With this revamp, Bitwarden is about on par with other password manager services that warn users before they fill in iframe login forms. However, if you’d like to exert more control over how matching works, you can adjust domain matching rules from within Bitwarden’s settings: either across your entire vault (Settings > Auto-fill> Default URI match detection within the browser extension) or per entry. You can actually add more than one URL to a password vault entry, and also set different matching rules for each. If you prefer stricter security controls, you may want to switch your match rules from “base domain” to “exact.” You can also flip it to “never” to disable autofill all together. Hit up Bitwarden’s help pages for more details on how each option (e.g., base domain, host, regular expression, etc.) works.