Bitwarden has updated its autofill tool to help prevent users from having their credentials stolen in web page phishing attacks.
The open source password manager will now provide a menu when clicking on login form fields, giving you a list of possible autofill candidates from your vault to choose from. This also means that login fields will no longer be filled in automatically when you first load up a login page.
In addition, users will now have the option to protect their autofill credentials with an extra password, to make sure they aren’t automatically filled by a malicious third party.
Iframes
The change to the autofill function is a response to the disclosed vulnerability in websites that use iframes.
Iframes allow for one webpage to be embedded within another, useful for inserting ads or video content within a single page. Popular websites such as Apple’s and its iCloud cloud storage also use them for login fields.
However, it was found that threat actors could use malicious iframes containing form fields to steal credentials, as autofill would input the credentials straight away into said form fields.
At the time, Bitwarden responded by saying that the risk was low, and that allowing autofill was a convenience worth having for access popular sites, like those of Apple and iCloud. It also noted that autofill is disabled by default, and a warning is displayed explaining the potential risks when users go to turn it on.
In order to make the new autofill menu userfriendly, it will remain on top of all other elements on a page, and will also reposition itself according to the size of the page and whereabouts form fields appear. Users will also be able to navigate through the list of credentials in the autofill menu using the keyboard in addition to a mouse.
There are various other parameters users can adjust in the autofill settings of their Bitwarden browser extension too.