Bitwarden filled username field with password

I was making a payment via PayPal on the website https://www.charityextra.com/

I was making the payment on my Android phone and the PayPal login window was via a popup

I used Bitwarden to fill in the details but unfortunately the password was put into the username field instead of the password field.

Although shoulder-surfing for a long, secure password is low-risk, this should really be fixed

Thanks

Tell PayPal to fix their login window.

1 Like

Why would this happen then? What do I need to tell them to do?

As they may not be using “username” for the username-field, but a different name instead. Bitwarden recognizes the input boxes by their name.

EDIT: Solved. I found how to create a custom field using ‘Inspect’ for the problem field. The field was a ridiculously long ID. (right click the field, Inspect, look for the field ID and copy it to a custom field in Bitwarden.)

I'm having a similar problem. How can I find the name of an input field so I can create a custom field that matches. My password is being filled in on both the username AND password field.
1 Like

Hmm… this doesn’t seem to work on Android, either on my phone or on my tablet. On those it still fills in the password in both the userid and password fields.

It works the same on Android. But perhaps you get a different version of the login page and therefore the field might have a different ID.
To see the source code within Google Chrome on Android add view-source: infront of the URL.

Example:
To see the source code of https://www.bbc.com type:
view-source:https://www.bbc.com

This “view-source” method gave me the source for the entire page. I couldn’t find the input Id, so downloaded an app called Inspect and Edit HTML from the play store. It allowed me to “Inspect” the actual input field for the password. The Id “_ParticipantLogon20_WAR_ahcommonauthportlet_userId” and source code are identical to Chrome and Firefox on Windows, Linux or Chromebook. (these work fine) This is for the Lumen benefits website. Bitwarden isn’t filling in the UserID on either my tablet or my cellphone. It puts the password in both the userid and password fields.

I left the username field in Bitwarden’s Lumen entry empty. I made a custom field for the userid.

Thank you for your thoughts and ideas.

1 Like

Possible bug in the string length of the fields in the android version?
The website is:
https://leplb0330.upoint.alight.com/web/centurylink/login/
The two fields are:
“_ParticipantLogon20_WAR_ahcommonauthportlet_userId”
and
“_ParticipantLogon20_WAR_ahcommonauthportlet_password”

@Peter_H Did Bitwarden find a way to support custom field autofill on mobile?

Most comments on this are back in 2019, where it wasn’t supported due to OS limitation:

Oh, I did not think that this could be an issue.Let’s clear this up.
@tgreer: Do the mobile versions support custom fields?

1 Like

No one knows? I’d love an answer go that.

If you put “m.” in front of the web version of the website URL, you may get the mobile version, then inspect that for the possible new mobile field name.

If that website you mentioned is using some kind of plugin that happens to connect to Paypal, it may have nothing to do with Paypal. They might be doing a passthrough.

For your particular situation, I would recommend waiting for someone from Bitwarden to comment (or someone who has worked with android AutofillService).

Based on information I have seen, I don’t think it is possible to autofill Custom Fields on Android either due to API limitation (or current Bitwarden implementation?).

However, I don’t code mobile apps and I haven’t worked with C#/Xamarin, so I don’t have full details.

I will provide basic notes below based on quick skim though your example site, the android docs, and Bitwarden code.


Your particular website

I think the issue with the site you are using is that the Username field is using type="password" along with the odd id/name.

This is confusing Bitwarden into thinking the field is for your password.

EDIT: This is something Bitwarden Mobile app checks to detect passwords.


Android Documentation

Based on skim through Android documentation, Android mainly uses:

  • a fixed set of supported “autofill hints” (usually basic info like username/password/phone/postal_address), or
  • the website needs to provide a special “autocomplete” attribute.

Not too sure if possible to obtain HTML id / name attributes and run Custom Field logic. Would need Android developer to comment on behavior.


Bitwarden Mobile Code

I didn’t really look too much into this, but I could only find autofill logic to handle username/password.

I didn’t see anything to handle Custom Fields.

2 Likes

Some day, hopefully, myopic website developers will realize that tens of millions of people around our amazing planet use password managers, and they will choose to design websites that work easily with them.

Honestly, it’s not hard. It’s just a bad combination of myopia and laziness.

Last I checked, popular sites like Yahoo and Evernote still don’t play well with password managers; they require users of password managers to enter their credentials twice because they don’t have the input fields for the username and password loaded in the DOM at the same time.

Fixing this is a simple task, but not making these mistakes in the first place would be even better.

My solution is, whenever possible, to not use sites or services that do not play well with password managers. For this reason, I no longer have a Yahoo, Evernote, or PayPal account. No Google account either, but that’s due to: Add unshare option - #137 by bit

Too many great options to deal with ineptitude or ignorance these days. That’s why I no longer have a LastPass account either! :partying_face:

2 Likes

@Peter_H @cho-m you’re correct, mobile doesn’t currently support custom field autofill.

That’s sad, but Oh, well, it’s the only site I’ve had to use a custom field so far. Maybe in the near future it will be added.

thanks, very informative.

1 Like