Require confirmation for the Auto-fill option
- When user clicks to enable the Auto-fill option, show a new page. The page repeats the warning, and requires the user to confirm…
- Confirmation could initially be by ticking a box again (label: “Yes, I want to enable auto-fill on page load”), because…
- …Flashpoint’s example exploit additionally relied on “Base domain” URI match. There could be a second tickbox “Do not change default URI match detection to ‘Host’”, if the option had still been set to “Base domain”.
- A final button to apply the chosen settings. This could be something standard like “Apply” v.s. “Cancel”, or “Change my settings”, or even more harshly “Use less safe settings”.
Requiring any confirmation would at least avoid the possibility of “fat-fingering” the checkbox and not realizing the setting was in the “warning” state.
And the harsher the confirmation required, the more it would be clear to the user that BitWarden considered it a serious issue.
I am interested to see more detailed response to this feature request, because AFAICT the following could be a realistic scenario:
- be a user of one of the relevant hosting services
- be contacted, e.g. email to [email protected] address, with a link
- a link click will phish your login instantly, with no further user interaction.
- the attacker will edit your hosted site to secretly serve their malware to visitors, or replace/insert their own ads, etc.
This scenario requires that you use Bitwarden “auto-fill on page load”. As, the “Warning” currently advises doing so is “generally safe” unless you are not a careful person and visit “compromised or untrusted websites”.
I am also interested in the text of the warning message. But choosing language can be difficult, and I would be interested in requiring confirmation regardless of what the text above the checkbox said.
Related topics + references
Hopefully the following website links that I send you are not “compromised or untrusted”, and you can visit them safely. Take care ;-).
Telling users to ‘avoid clicking bad links’ still isn’t working - UK National Cyber Security Centre.
BitWarden developers response to the exploit as published in Bleeping Computer
The Bleeping computer article correctly links to the public report by Flashpoint. As a new user, I can’t include more than than two trustworthy links here. Feel free to edit a third hyperlink into this post.
“Bitwarden: The Curious (Use-)Case of Password Pilfering | Flashpoint”
“It should also be noted that a brief evaluation of other password manager extensions shows that none of those will auto-fill iframes from different origins or show warnings for iframes from different origins.”