Being reactive to sensationalistic blogs that overhype corner cases will result in patchwork solutions that are ineffective and unsustainable.
A holistic approach would be more effective, but it is difficult to rationally discuss sensible solutions in an environment of clickbait articles that whip readers into a frenzy over some minor issue.
Using some band-aid to fix the iframe issue will not prevent the same type of credential theft from occurring by XSS (e.g., as demonstrated here and here). As I see it, the underlying issue is that password managers (including Bitwarden) will auto-fill invisible form fields. This issue is not new; it has been known for decades. However, the problem is difficult to solve without breaking functionality. In my opinion, one or both of the following strategies should be explored to mitigate the entire class of attacks based on invisible forms:
-
The browser extension should analyze the visibility of form fields, and only fill fields that are visible. This analysis is not trivial to do, and preventing invisible fields from being filled will affect the auto-fill behavior on two-step login forms (in which the username and password fields are presented separately).
-
The browser extension should count the number of available input fields that will be autofilled using the password field. If more than one such field is found on the current page, present the user with a warning before auto-filling. This will alert the user that there may be a hidden form on the login page, but it will have the side-effect of creating an extra confirmation step when using auto-fill to complete account registration and password change forms. The unwanted side-effect could be avoided by allowing the user to mark specific URIs as login forms (where only a single password field is expected), so that the warning is presented only when multiple password fields are detected on a form that has been designated as a login form.