Auto Fill is pasting password in website search box

This seems like a serious issue with the autofill feature.

I am using safari on Mac with the BW browser extension.

I was logging into reddit, used auto-fill. To my surprise, the password not only auto-filled in the password field, but also auto-filled in reddit’s search box! What is going on here???

Many websites don’t work perfectly with autofill. You can use the Report autofill failure form to report this issue, which may help Bitwarden improve its autofilling algorithms.

In the meantime, you should be able to implement a work-around. For example, you can probably define a custom field that matches the search box (using the right-click option that identifies custom filed names), and set the field value to be blank. Alternatively, leave the password field blank, and create a custom field (type hidden) that matches only to the actual password box (and store your password in that custom field instead of in the regular password field of your login entry for Reddit).

Strange - it works just fine for me on Safari 15.6.1 and MacOS Monterey 12.5.1. If it was a bug in Bitwarden, I would have expected to be able to replicate your behaviour.

Are you sure it isn’t Keychain filling in the search box? If that’s not it, I would edit your Bitwarden entry for Reddit and delete all the URIs and replace it with and see if that fixes it.

Thank you for the informative reply.

Right clicking and selecting “copy custom field name” yields the following values:

Search box: “header-search-bar”
Username: “loginUsername”
Password: “loginPassword”

I understand the logic behind your solutions, and I will try them out.

Still, it begs the question why the field “header-search-bar” would be populated with the password on autofill. Keep in mind that the username and password fields do still get populated correctly; the issue is that it also autofills that search bar with the password, too. weird.

Thank you guys for your insight.

Thank you for your input and suggestion. I do not have safari/keychain autofill enabled, so that cannot be the issue.

For what it’s worth, I am not able to reproduce the behavior (password autofilling to Search bar) when I manually autofill on using the Chrome browser extension on a Windows system. On the new, there is a dedicated login page that does not have a Search bar.

Are you using the new or old reddit (and if the new interface, are you logging in through the login page?)? Which search bar specifically is being filled?

lol, as soon as we are engaging in this discussion, reddit is having problems. so says down detector. once this irony passes, I will show you. is still up. Perhaps you can try it there and see if you get the same result?

thx for suggestion. Just tested on no issue there. autofill worked fine.

for reference, the field names for old reddit are

search box: ‘q’
username: ‘user’
password: ‘passwd’

I have not changed any parameters in my vault. So, clearly there is some sort of issue with the search bar on the new reddit w/ bw autofill. hmm.

On the new reddit site, when clicking “Log In”, this pops up. When BW autofills, it also autofills the username and password correctly, but also fills the password in the search field (green).

1 Like

Then definitely complete the form that @grb posted above to report instances where the extension does not autofill correctly. That’s a relatively serious one! Thanks for mentioning it @xru1nib5.

I appreciate everybody’s responses. I was hoping to utilize autofill to be a bit more secure and a bit quicker than regular copy/paste. but, alas, if autofill has the propensity at times to put an entire password in plain text in a random field, autofill seems like more risk than it’s worth.

For what its worth, @xru1nib5, I have been using Bitwarden for years and this is the first time I have ever seen Bitwarden paste a password in the wrong field. And I can’t seem to replicate this behaviour, so it is unclear what is actually happening. So, while I do understand your concern, I think this behaviour is rare and relatively isolated. I also suspect that if you follow the advice above, you could find a secure workaround using custom fields to prevent the incidental pasting of your password in that search field on Reddit.

As I try to figure out what is going on, I have noticed a bit more detail about the issue. Keep in mind, I am running a fully updated MacOS Montery 12.5.1, as well as fully updated bitwarden app and safari extension.

Anywhere on the new reddit page where there is a field to fill (search box, create-post title, etc), upon initiating autofill via any method (right-click to autofill, command+shift+L, click extension icon and click the corresponding vault item in the tab section), these fields will get populated with either the username or password from the vault. Sometimes it autofills the password, sometimes the username. But, no matter what, if there is a search box/create post title box/etc on the webpage at the time of initiating autofill, bw will fill it with either the username or password.

Autofill on page load is always risky, and should only be enabled for websites that you trust (and for which your URI matching is set up to avoid unintentional autofilling of unrelated web pages — use Exact matching when possible). See a recent post of mine for more information about potential risks inherent in the autofill feature.

Manual autofill can provide a net security benefit (by not leaking credentials to the clipboard), but should be individually tested for each site on which you intend to use this function. As mentioned above, if things don’t work properly at first, there are usually work-arounds that can be implemented on a case-by-case basis.

Do let us know if any of the suggested workarounds solve your problem on Reddit.

You guys are cool and responsive. Great community, you are appreciated.

I will never utilize autofill on page load, for many reasons.

now, I weigh the balance btwn utilizing manual autofill with potential issues (like autofilling contents in random fields on the website), vs just utilizing good old copy/paste with the clipboard clearing timeout in place.

1 Like

This is likely an issue related to how the Reddit site is rendered in Safari, and/or related to the Safari extension. I tested again using the Chrome extension on the new Reddit site, and did not observe any filling of the search box. In fact, even if I tried to deliberately fill the search box by defining a custom field for header-search-bar, the corresponding value was not filled when autofilling from the login window (however, it did autofill the search box as expected if I close the login window).

Yeah, seems like an issue specific to Safari. I want to utilize manual autofill for the convenience and security reasons, but when I see the entire password sitting in plaintext on a random field in on said website, that security factor becomes a bit moot. I hope this issue can get addressed. Until then, I will just utilize copy/paste.

Your choice, of course, but I still think it may be possible to work around the issue by defining a custom field header-search-bar that has a blank value.

Tried it. Doesn’t alleviate the issue. Keep in mind that I have found that any open field on the new reddit site will be populated via autofill, whether the login page is up or not. The search bar was the first culprit I noticed, as I attempted to login. But, if you attempt to autofill on a page with an open field, e.g. a topic title for a new post, it will auto fill that too.

There’s a problem somewhere btwn the BW Safari extension and this website, where autofill will just randomly fill any box on the page with either the username or password, regardless of how I set up the definitions and contents of standard fields and custom fields in BW.