I recently installed the “Cync” app for GE smart lights, which has the
package name com.ge.cbyge
. When I went to log in, I was alarmed to see
Bitwarden suggest autofilling credentials for half a dozen unrelated
domains. These included:
geico.com
getplanta.com
foobarcommercial.managebuilding.com
as well as others.
All the suggested domains did have the substring ge
somewhere… but
that’s quite a common substring. They did not all have ge.com
. My
default URI match detection is “Base domain”, and none of these
credentials have overrides. This doesn’t make sense to me with my
understanding of the documentation for base domain detection:
https://bitwarden.com/help/uri-match-detection/#base-domain
This concerned me because with one mis-tap I could have given the
credentials for my insurance or for my rent payment portal to an
unrelated application.
I can reproduce this issue. Why is it happening, and is there something
that I can do to prevent these dangerous suggestions?