Bitwarden automatically opens a window on each website with a master password re-promptet entry

I have a problem with the Bitwarden Chrome Extension in Brave, both on my Linux PC and on my Laptop on Linux/ Windows.

Every time I visit a webpage where I have saved a login with the option “re-prompt master password” enabled, Bitwarden opens in a new browser window as shown in the image below (red):

Bitwarden opens in new Window1920×1080 246 KB

Not that this page doesn’t have any fields for autofill, and it still opens. With autofill disabled it happens too.

I already created a GitHub Issue, but they said they couldn’t reproduce it, so I’m searching here for help.

Brave: v1.58.131
Bitwarden: v2023.9.1

I also cannot reproduce this issue (at least not on a Chrome browser). Have you tried uninstalling and reinstalling the browser extension?

I reinstalled the extension and the error persists.

An annoying workaround is to lock Bitwarden if you visit pages with the option enabled. If you need it, open it and after using lock it again afterwards.

Since it hasn’t yet been possible for others to replicate your problem, if you want any progress to be made, it is probably best if you try to determine what factor in your setup is triggering the behavior.

Seems like you have already tried using different devices and different operating systems. What about different browsers (i.e., a browser other than Brave)? You could also try a new browser profile using default settings, or using Private/Incognito mode, or disabling all browser extensions and plugins except for Bitwarden.

If you don’t have time for such experimentation, then your best bet is to wait until other (reproducible) bugs that have similar characteristics to yours are fixed (e.g., this one from Reddit), and hope that these fixes also take care of your problem.

I have this issue too, which started last week on Edge on my work PC and on my home PC started occurring on Edge last night and then Chrome today.

I have not yet noticed it on Firefox.

Each affected device has also had malware scans run (using one or more of Cylance Protect, Malwarebytes, Sophos Scan and Clean and MS Defender) with no issues found.

The conditions where this occurs for me:
-Certain websites (including Bitwarden and Google) where there is a Bitwarden entry with a matching URI and master password reprompt set on for that entry - but not all websites which meet that condition necessarily cause the issue
-Using Edge or Chrome
-Bitwarden extension for Edge/Chrome (2023.9.1 for both)
-Bitwarden extension is logged in and vault unlocked
-Occurs across several PCs
-The user in some way interacts with the page, e.g. clicking on a link within that page or typing, causing Bitwarden to open up a pop up (or close the existing pop up and open a new one) with that vault entry and asking for the master password reprompt.

I have just tried contacting support and including a video showing the issue, but due to the video containing sensitive information am unfortunately unable to also link it here.

Any assistance on this would be appreciated.

Great that I’m not alone with this issue, but sorry for you that it happened. I can’t try it today with other browsers, but ill try tomorrow.
I think it could be a Chromium problem since Edge, Chrome, and Brave all are Chromium-based and Firefox doesn’t have this error.

@104398 On Brave, I don’t have to interact with the website. The popup comes just after loading the page and there hasn’t to be a field for autofill, since my screenshot shows the official Bitwarden website home page which doesn’t have any field for autofill.

Here are some workarounds:

• lock the vault when you browse a website with the option enabled
• if you just have a few passwords with the option enabled, you could disable the option until it gets fixed (wouldn’t recommend for banking sites or sites which don’t have any other security measures like MFA/ …)
• update the URI that it only matches the exact page for the login of a website

another possible option that could fix the problem, but I haven’t tried it

• downgrade to an older Bitwarden version (extension)

Thanks @chraebsli.

The behaviour you have described is similar for me (i.e. I don’t need to interact with the website for the new window/master password reprompt to appear), however when I do interact with the website this window will repeatedly close itself and reappear on the forefront of my screen with each interaction, ‘absorbing’ any text input (e.g. attempting to type an email). Apologies if my earlier wording was unclear.

The following workarounds have been successful for me over the past few hours:

1. downgrading the Bitwarden browser client (in my case, 2023.7.0 from a backup); and/or
2. turning off “Auto-fill on page load” and restarting the browser.

I will keep monitoring but mention the above in case helpful for you.

For the sake of completeness, I have also tried disabling all other extensions and removing/reinstalling the Bitwarden client from the Chrome store (2023.9.1) which unfortunately did not make any difference.

Also noting the OP of the reddit post linked by @grb above appears to have had some success with workaround #2 (disabling “Auto-fill on page load”).

Cheers

So it still seems that the issue faced by @chraebsli is different (yet possibly related) to the other issues (including yours), because in the top post here, he says that the behavior also occurs “with autofill disabled”.

@chraebsli Can you please double-check and confirm that when you go to Settings > Auto-fill and disable “Auto-fill on Page Load” (then restart your browser), the problem is still there?

@104398 Ahh sh*t I have tried to turn off autofill but without success (bc I didn’t restart). As an IT professional who has to say “Have you already tried to restart it?” almost every day, I really feel like I should switch my profession.

The problem is not solved but since you can add a shortcut for autofill I will just use this for some time until a new Bitwarden version comes out. Personally, I use alt + b which is easy to remember and also pressed quickly.

hey @grb

Just saw your post after I replied to @104398. The problem is not solved, but his second workaround works great.

Thank you for your help and have a great day.

Not sure if you are aware, or if there is some reason you can’t use this, but Bitwarden has a native keyboard shortcut for auto-filling:
Ctrl+Shift+L

Using a keyboard shortcut is also safer than using “Auto-fill on page load”, as it reduces the risk of leaking your credentials into hidden form fields each time you load a new web page.

In any case, even though your problem is not solved, this appears to bring it into the realm of the reproducible, with at least 3 reports of the same behavior. That should make it more likely that a fix will be forthcoming.

You may want to consider filing a bug report on GitHub.

@chraebsli I forgot that you already did report this. You can either file a new report, or add the information about “Auto-fill on Page Load” to the existing issue, and then request that the issue be re-opened based on the new information. Not sure which of these two options will be most effective — I’m guessing that starting a new issue will get you a quicker response.

Out of curiosity, what is the expected behavior (i.e., what used to happen before version 2023.9.0?)? If you have enabled “Master password re-prompt”, and also enabled “Auto-fill on page load”, and assuming that you are using the default URI Match Detection method (“Base Domain”), wouldn’t you get a pop-up prompt in the browser extension viewport each time that you navigate to a new page in a domain for which “Master password re-prompt” is enabled?

@grb someone has already added a comment to my and another user’s issue on GitHub describing the issue with the autofill enabled option. Probably it was you after sending this post or @104398 or someone other who watches this discussion.

Bitwarden never opened a popup for the master password re-prompt option before the new version. On all my devices and OS I’ve ever had, it was like if autofill was disabled.

I see — so auto-filling was basically set to fail silently in this configuration.

I’m guessing that Bitwarden will not revert to an implementation in which auto-fill fails silently, so it seems that the solution is to more carefully tailor the site-specific URI Match Detection rule for items that have “Master password re-prompt” enabled. Can you try to save the URL for the actual login page, and then set the URI match detection for that URI to “Exact” or “Starts with” (in the latter case, you would remove any session-specific strings from the end of the login URL, leaving only the part of the URL that is constant each time that you log in)?

I have this problem in Chrome as well. You can read my comments on this thread, Master password reprompt not working - #7 by Joe_G

I’ve had to disable auto-fill to sidestep this annoyance. My desired behavior is to auto-fill when re-prompt isn’t required, and to allow me to select the account and input master password when re-prompt is required. Basically, exactly as it worked before. To the extent that a pop-out window is somehow needed for the re-prompt now, then it should be asking me which of the multiple accounts I have for a page that I want to use; and, most importantly, not incessantly launching that pop-out window.

Actually, now another “reprompt not working” issue is happening, and I may be properly hijacking this thread on a tangent…

When I’m on a site that has a Master Password Re-Prompt required, a separate pop-out window requesting the re-prompt keeps showing up. Even if I’ve already logged into the site, I dismiss the smaller pop-out window that appears in the top right and it reopens.

To be clear, it is not appearing in the same manner as when you click on the Bitwarden extension icon, it is the same menu that appears in its own separate pop-out window. Something is off with this update

Edit: I’ve found this in the release notes, “Launch unlock or login in new window when auto-filling”
The motivation of that change isn’t immediately clear to me, but it seems not to be implemented well for my use case. I also don’t see a way to disable this in Options. As it is, I’d say it’s a bug.

Edit2…

Yes this “Launch unlock or login in new window when auto-filling” behavior is broken in that it continues to launch:

1. When recently dismissed on the site
2. When already filled on the site
3. When a login form is not present on the page
4. When there are multiple possible login values for the page that could be selected

RE: The last point, for many of the pages I require Reprompt, there are multiple saved accounts which might be selected to autofill. As implemented, the pop-out window launches and demands a master password, but the underlying account is not necessarily the one I want to use.

I preferred needing to go to the icon and select the account I want to fill, then entering the master password when prompted.

I moved your other post into this thread, since it was not directly related to the other thread.

@grb Yeah I will probably do this if the error persists, but I have like a ton of passwords and a lot of them are with this “master password re-prompt” option enabled. This will take some time and therefore, it sounds like a great task to do on the train when going to work.

If you think that most of your stored URLs match the login page URL, then you could just go to settings and change the default URI Match Detection method to “Exact”.

This may break the URI matching for any items in which the stored URL does not exactly match the login page URL (i.e., Bitwarden will behave as if no matching account is available). In those cases, use the search function to find and open the relevant login item, and then click the “Auto-fill and Save” button at the bottom — then it should work the next time (if you use this method, you may optionally wish to Edit the item to remove the original URI).

Changing all our URI’s to exact is a burden; it shouldn’t be necessary and doesn’t take into account the reality of how users have used the service or how websites really work with login entry points potentially being on many URLs based on normal use.

The pop-out window should be an option, not the sole behavior for re-prompt. To the extent that it must be the sole behavior, its implementation is deficient in the following ways:

1. If you dismiss it intentionally, it relaunches.
2. You’ve used it to log in, it continues to relaunch as you use the site. (Consider sites where the URL doesn’t change.)
3. If you have multiple available account records to fill, it doesn’t present an option to select which one you want.

The quick fix is to just make this pop-out behavior an option. As it is, the implementation is incompatible with require-re-prompt, and I’d argue a Bug.