Alarming autofill: com.ge.cbyge matches lots of domains just containing "ge"

I recently installed the “Cync” app for GE smart lights, which has the
package name com.ge.cbyge. When I went to log in, I was alarmed to see
Bitwarden suggest autofilling credentials for half a dozen unrelated
domains. These included:

  • geico.com
  • getplanta.com
  • foobarcommercial.managebuilding.com

as well as others.

All the suggested domains did have the substring ge somewhere… but
that’s quite a common substring. They did not all have ge.com. My
default URI match detection is “Base domain”, and none of these
credentials have overrides. This doesn’t make sense to me with my
understanding of the documentation for base domain detection:
https://bitwarden.com/help/uri-match-detection/#base-domain

This concerned me because with one mis-tap I could have given the
credentials for my insurance or for my rent payment portal to an
unrelated application.

I can reproduce this issue. Why is it happening, and is there something
that I can do to prevent these dangerous suggestions?

1 Like

Thanks, I’ll review this, for now I would suggest changing your URI matching to Exact.

1 Like