Browser extension is turned off and requests additional permissions (March 2025)

@DK1 Could you do the test that I had suggested? It will take 5 seconds:

i already removed bitwarden from chrome on all profiles. I am just using the desktop version for now.

I do appreciate your input and spending time on this but its just “odd” to just leave it be.

as a note: all profiles have the exact same extensions, nothing is configured out of the ordinary (meaning how it installed it is how it is configured). I dont use chrome sync, ever.

I love BW on my IOS devices so it won’t quickly vanish from usage but for now, not inside my browsers on my PC/

You are, of course, free to do that. But in doing so, you are losing both the convenience that autofill offers and the defense it offers against look-alike sites (because autofill will fail).

Seems an unlikely trade-off, given that the new permission (“display notifications”) is an inherent capability of an installed desktop app. And the request has been confirmed as authentic in this forum by a Bitwarden employee.

By my risk-calculus (everyone’s is different), losing the defenses autofill offers seems like the bigger risk than Bitwarden potentially throwing annoying alerts in my face.

The only thing “odd” is your reaction (although, as @DenBesten already noted: to each their own). Why does the requested permission to display notifications bother you, but you were apparently OK with using the browser extension while it “only” had permissions to:

  • Read your browsing history
  • Read and modify data you copy and paste
  • Communicate with cooperating native applications

The new permission (displaying notifications) has none of the potential privacy or security implications of the permissions that you previously granted, so it does not make sense to me why you ever installed the Bitwarden browser extensions (if a request to permit display of notifications was enough to make you uninstall the extensions).

Even if you’re assuming the worst, and believe that Bitwarden is going to use the new browser extension permissions to perhaps serve up spam advertising, why not wait until you see the actual notifications being displayed before deciding that this is not for you?

There are plenty of popular feature requests for useful functionality that would require the browser to have permissions to display notifications. For example, users have requested implementation of features such as toast notifications to identify which account is being autofilled, notifications of pending Emergency Access requests, notifications of master password compromise or other suspicious activity, and other types of push notifications. Is your opinion that no such features should be developed, because it is more important to refuse giving the browser extension permission to display notifications?

1 Like

Ok so let me start off with this:

  1. You sound like a fanboy, unable to see past the walls you’ve built for yourself.
  2. My decisions are mine alone.
  3. Arguing against my choice to keep BW off my browser (while still using it on my desktop) is not just odd—it suggests you either didn’t read my post properly or just ignored it entirely.

Some people love jumping on cutting-edge, beta software. I prefer to watch from a distance while others take the hits (wisdom). I’ve been in IT since the days of spindle drives the size of pizza boxes, keyboards heavier than luggage, and handshake failures that wasted hours. I’ve worked across military, government, and private sectors. If something even slightly goes south, I step back and let others learn the hard way (wisdom).

And finally, you don’t work for Bitwarden. Pushing it this hard while ignoring personal choices makes you guilty of #1, #2, and #3 (though stopping at #1 and #2 did make me laugh). SLNL.(Silently Laughing Not Loud)

@DenBesten I don’t “autofill” anything. blindly autofilling is like leaving your house unlocked while you go on vacation.

First, I apologize if my comment made you upset — that was not my intent: I just wanted to express how perplexed I was at your decision-making process (and ask some questions that would perhaps clarify things for us). Second, nowhere in my comment do I try to “argue against” your choice or “push” for anything — my entire comment consisted of presenting facts and asking you to clarify for us how your decision-making process squares against those facts. Third, I would request that you review the Community Guidelines.

In the context of Bitwarden, “autofill” refers to any method that transfers vault data into a web form, and automatically matches the data to the appropriate input fields. You seem to be using this term to mean automatic transfer of credentials into web forms (without user action), which in Bitwarden is called “Autofill on Page Load”. However, Bitwarden’s browser extension offers a handful of different ways to autofill, all of which are safer than copy & paste (which is akin to mailing a secret document in a transparent envelope).

This is good advice, which I will take. Good luck to you! :waving_hand:

I also do not blindly autofill anything. In Bitwarden vernacular, that is called autofill on page load and even Bitwarden advises against it. Fortunately, there are a bunch of other autofill mechanisms that only trigger after the user demonstrates intent.

I was able to find peace with keyboard shortcuts as it minimizes the changes made to the web page, reducing data disclosure and maximizing reliability.

And for native apps (mostly remote desktop), where autofill is not yet available(it’s coming), I mostly use drag-and-drop to avoid the clipboard becuase the clipboard contents are visible to everything on your computer and if using something like Apple’s Universal Clipboard, everything on any of your devices.

Don’t know if this will affect your risk-analysis, but I figured that if you were unaware of the other options, at least we can benefit from “knowledge is power”.

1 Like