We don’t know Bitwarden’s reasoning here. Whatever it was (and I completely disagree with their decision) – I doubt it was solely based on those few posts there.
1 Like
I know - it is the default click option = open login details that we NEED to bring back. I did not mind a small autofill button that was easy to avoid clicking - but now it is a disaster
2 Likes
It is insecure because the default behavior leads to auto fill which is vulnerable to clickjacking. Just by muscle memory I have accidently auto filled now several times - there is no knowing how much of my data has been stolen with clickjacking attacks so far,
Your statement that keyboard shortcuts are largely not suspectable to clickjacking is also false. In the original clickjacking discovery last august, you can test keyboard shortcuts here and see they are in fact not safe:
Bitwarden needs to either fix clickjacking vulnerabilities, or revert this update that forces the default behavior to be highly risky autofill. You also overestimate how savvy your users are. My 70+ year old parents are never going to be using keyword shortcuts and it took me everything just to teach them to use a password manager in the first place.
This needs to be fixed. Bitwarden devs deflecting and pretending clickjacking isn’t a real security risk is not only pathetic but highly concerning for a company pretending it cares about security. I guess that all changed when your new CEO threw transparency out the window (yes, we noticed)
1 Like
Hey @Reabsorb4-Headband, can you share more detail on what you’re experiencing? If the site doesn’t match (different URI), Bitwarden will not autofill.
Which method are your parents currently using to autofill?
Bitwarden offering a credential where it is not used is a sure indication that one needs to more precisely specify the URL. Careful attention to making URLs as precise as possible both results in an improved user experience (eliminating irrelevant choices from the autofill menu) and improved security (reduced attack surface).
For example, my community login is configured like this:
This ensures that my community credential is only offered as an autofill option when I am on the community’s login page. Therefore, the only compromised webpage that has the opportunity to “steal” my community password is the official login page itself. And, bonus, my community credential does not show up as an option when I am logging into vault.bitwarden.com, making for a smoother UX.
Prior to adjusting this, the default option (“base domain”) resulted in my community password being offered as an option any bitwarden web page, including community conversations and vault.bitwarden.com.
I don’t know if you are aware, but the “Volunteer Moderators” (Nail1684, grb and denbesten) are not Bitwarden employees. We are just users, like you and your 70+ year old parents.
The defense that keyboard shortcuts offer is not that they make it impossible for you to do the wrong thing; they just validate your intent to involve a credential.
With this latest update to the browser plugin, I am so frustrated that in 4 years of loving and using bitwarden, I feel compelled to share my disgust with this change.
I can understand changing the default behavior “Click to autofill by default”, but removing the option to turn it off is so infuriating! I frequently need to access custom fields and notes on items and now this requires yet another click. There is no good reason to remove the ability to customize this behavior.
6 Likes
I would like to add my support to this request.
In my opinion, the default action when clicking a vault item should be View, not Fill.
Viewing an item is a non-destructive, low-risk action. It allows users to verify (and copy) the username, URL, notes, TOTP, custom fields, and other details before taking any action. Autofill, on the other hand, performs an immediate operation on the current page and can have unintended consequences if the wrong item is selected.
From both a usability and security perspective, I believe the safer default is to open the item details first and let the user explicitly choose to autofill. Users who prefer a faster workflow could enable a “click to fill” option in settings.
A configurable setting would satisfy both groups of users, but if a single default must be chosen, I believe the principle of least surprise and security-first design strongly favors View by default, Fill by explicit action.
Please consider restoring the option to choose between these behaviors rather than enforcing a single workflow for all users.
4 Likes
I have created an account on the forum for the sole purpose of adding my voice to the complaints of the new autofill behavior. When I click on an item in my vault, I want to see the preview of that item, no matter if it is an autofill suggestion or a vault item. The blue autofill button from before was easy to click, you knew that clicking that will autofill. Clicking the row itself should always bring up the preview for consistent behavior. I often need to check the preview of stored credentials for a site I am visiting (URI match) but now I keep autofilling by accident.
My gut tells me this change was implemented because someone thought beginner users “might be confused” by where to click to autofill. It just takes a few seconds to learn.
The best way forward is to give us an option to toggle this behavior. Don’t abandon your power users in favor of dumbing down Bitwarden.
4 Likes
@Reabsorb4-Headband I am a strong supporter of this feature request, and I agree with your sentiment. However, your comment contains misinformation, which is detracting from your (our) cause.
Per the blog article written by security researcher who discovered that vulnerability (@marektoth), the exploit inherently requires a mouse click to be made on the malicious page; this is also what is meant by “click-jacking” — a user’s mouse click is maliciously used for a purpose other than what was intended by the user. Keyboard shortcuts by definition are not vulnerable to click-jacking, although they are susceptible to other security risks (as I have explained here).
There has only been a single post from a Bitwarden developer in this thread, and it does not discuss clickjacking at all. And the updated autofill behavior was evidently decided on prior to Feb. 11, 2026, so I doubt that the recently hired CEO had anything to do with this change.
P.S. If you want to move the needle, please consider voting for this feature request.
@c3p @ivan-pinatti @heath @blandygbc @Acapucho @zfJames @brofenix — Welcome to the forum! The best thing that you can do to help with the problem is to vote for this feature request. To gain voting privileges on the forum, your trust level must be promoted from “new user” to “basic user”, which happens after you have spent 10 min reading at least 30 comments/posts in 5 different threads.
@andy_o @Catra @kriswilk You have already earned voting rights on the forum, but you have not exercised those rights to support this feature request. Please vote by clicking the 
icon at the top of the thread.
As I have pointed out above, we did have such a user-configurable option, but it was removed. 
6 Likes
Thanks for the heads up, I thought I’d voted with the heart on the first post cause got confused with another forum that does it that way.
1 Like
You might review this conversation that began shortly after the vulnerability report was released. It includes immediate actions that community members could take to protect ourselves, updates that Bitwarden released, and even links showing that the original reporter has confirmed fixes effective.
Another argument for restoring the view-to-click option in the browser extension is the UX design principle of Consistency. Not only would this option make the click action consistent within the browser extension, but it would restore consistency between the extension and the other Bitwarden client apps (Desktop app, Web Vault), where clicking the item name always displays the item details for viewing (and/or editing).
Conversely, it makes no sense that clicking items in the Desktop app and Web Vault would open the item for viewing, but that clicking items in the browser extension would have a completely different result (autofilling). This increases user cognitive load and makes the product confusing to use.
7 Likes
Believe it or not – I think due to some other recent posts / feature requests here, I became aware of that “global consistency” aspect yesterday as well.
The issue is not that bitwarden is not detecting the url match correctly. The issue is that clickjacking vulnerability is still an issue with bitwarden that has not been fixed. Using autofill button or keyboard shortcuts are still susceptible to clickjacking attacks, even when website url is legitimate.
In the past this was an issue but being able to easily copy paste made it easy to avoid. Now default behavior of the windows browser plugin is that clicking on a vault item autofills it. To copy paste, user must now click small 3 dots on far right side, click “view more”, and then click copy paste.
In short - the default option is now LESS secure. I really don’t know why this was changed. For users who have autofill off, can we make default click action to take you to login details how it was before, and only have default action be autofill for those that have autofill enabled in their settings?
That seems like a great in between option allowing users to customize it how they need to for their own personal risk profile
I cannot vote for anything because they restrict new accounts. I made an account exclusively to raise this issue.
The article itself does not say the attack can solely be triggered by a click. If that is true, why do his test forms still steal data when using keyboard shortcuts?
The post I am referring to where bitwarden devs claimed it was fixed when it was not was on the reddit community. They made a patch within 2ish weeks, said it was fixed and then the community found it was not actually fixed and they revised their statement to say it fixed most kinds of clickjacking attacks.
Yet to this day, bitwarden latest version is suspectable to the original clickjacking methods discovered in the research back from August of last year. “Fixed in most cases” does not seem accurate when the original security issue wasn’t even addressed…
Preach!!! I agree my friend
1 Like
Yes, but you are no longer a “new user”. Your forum trust level has already been elevated to “basic user”, so you should now have voting privileges.
The test form does not have any input fields, so no reasonable user would use a keyboard shortcut on that form. The test form is designed to trick the user into clicking on a cookie policy confirmation form (e.g., Accept), which will autofill credentials if (and only if) “Show autofill suggestions on form fields” has been enabled. And this exploit was really only effective prior to version 2025.8.2, because since then, the user can at least see that they are about to autofill some credentials by clicking.
Nonetheless, it is true that the test form is able to steal credentials when “Autofill on page load” (i.e., automatic autofill) has been enabled. However, this is not a click-jacking attack, because no mouse clicks are required to steal the information. So, as I’ve explained previously, I agree with you that unexpected autofilling (when a user clicks on a vault item expecting to view the information) can create security vulnerabilties, “click-jacking” is not the correct terminology to describe such risks.
As I explained above, version 2025.8.2 from August of last year did address the issue, by ensuring that the autofill drop-down menu was no longer hidden from view when visiting a malicious website (like the test form discussed above). I don’t know why you’re considering the browser extension susceptible to this form of attack, but regardless, such discussion is off-topic to this feature request thread. If you would like to further discuss Bitwarden’s susceptibility to click-jacking attacks, we can do so in a separate forum thread.
After a bit of digging, I found that the autofill on card click behaviour was (re-)implemented here and rolled out as a feature flag simplifiedItemActionEnabled aka PM31039ItemActionInExtension. “Simplified” is the opposite of what this change actually does, I really do hope that they re-add the option to toggle this behaviour off and allow the user to decide whether they want to click to autofill or view details.
I think we all knew this was where Bitwarden was headed after they got involved with private equity. Their new CEO is just another private equity shill. This change along with others (e.g., pricing, the “accidental” removal of the free plan, etc.) makes it clear where things are headed. I’m already keeping an eye out for alternatives.
1 Like