I understand that if you have Bitwarden (or any password manager or browser) configured to autofill your password when it encounters a “password” field on a web form, an easy exploit is for the web form to have hidden form fields (e.g., address, phone, email, ssn) and your autofill app will fill in your info into those fields, even though you only wanted it to autofill the login.

But when you have autofill turned off and you click in a form’s “login” field and select a login from Bitwrden’s contextual menu, Bitwarden automatically also fills in the “Password” field. Does this mean that the exploit exists even if autofill is turned off, as long as you’re using any form of an “auto-fill” function?

  • cron@feddit.org
    link
    fedilink
    English
    arrow-up
    12
    ·
    4 months ago

    I don’t think this vulnerability applies to bitwarden the same way it does to e.g. chrome browser.

    Bitwarden only offers to fill form fields when you have a password for this website - this means, that this website already has your data. Also, bitwarden does not have your address, ssn, phone stored.

    Chrome on the other hand allows you to store a multitude of form fields and can filll them automatically, and thus could leak personal data.

    • Mike WooskeyOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      4 months ago

      Bitwarden does have address fields, and it also had custom fields so you can define any field you want (SSN, etc).

      It may not be a good thing to store such info there, but my question is about what happens when you do store that info.

      Also, it’s possible to have a login/password for a site but not give them your address, etc.

      • isolatedscotch@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        3
        ·
        4 months ago

        as far as i know, bitwarden stores data on a per-site basis, so unless you saved custom fields for that specific site in the past the app won’t give it private data from another site