After a bit of digging, I found that the autofill on card click behaviour was (re-)implemented here and rolled out as a feature flag simplifiedItemActionEnabled aka PM31039ItemActionInExtension. “Simplified” is the opposite of what this change actually does, I really do hope that they re-add the option to toggle this behaviour off and allow the user to decide whether they want to click to autofill or view details.
1 Like
I think we all knew this was where Bitwarden was headed after they got involved with private equity. Their new CEO is just another private equity shill. This change along with others (e.g., pricing, the “accidental” removal of the free plan, etc.) makes it clear where things are headed. I’m already keeping an eye out for alternatives.
2 Likes
At the end of the day, I just can’t accept that the entire row for my items in the browser extension is now one giant fill button.
It introduces a security issue because I, as a user, usually want to VIEW my password entry before I fill it in or view it for the secondary passwords I have saved for that website as hidden fields. This new change means that I have to do far more unintuitive clicks to view the same information and I frequently just click right on the words of the item (which used to and should logically just open the item) and I find that my info is now autofilled into various insecure pages on the website.
I’m genuinely evaluating other password managers as a result.
3 Likes
@zfJames I have just moved your post into this feature request as it does seem to match your criticism. (you posted in a desktop app thread, but you’re clearly talking about the browser extensions new autofill behaviour)
1 Like
In the meantime, to improve security, you could use the “Exact” or “Starts With” settings for the Match Detection option, and ensure that the stored URL is for the login form only.
The way to prevent that is to tighten up the URL matching rule so that it only matches the login page and not the various insecure pages. For example, I use this on the community:
I have. You can test the latest version of bitwarden on his site - it is still not patched. Bitwarden claimed they have “fixed most cases where this can occur”, but his original research he provided and testing site shows they never bothered to even fix the original issue raised in August - I guess at best they fixed some variations of it?
The complaint is not that autofill is not detecting URLs in a safe manner - it is that auto fill generally introduces risk to clickjacking attacks.
Copy paste of course has its own risks but imo they are greatly reduced risks since the only protection of autofill is having an auto check to see if the url is correct or a phishing url. And you can still have that protection by only copy pasting logins that showup with the autofill suggestion, the same way it worked about a month ago ish
Spot on dude.
No clue why they felt making clicking a vault item a giant auto fill button was ever a good idea.
Their defense on reddit seems to be that a year ago people complained when clicking an item opened login details. They say that like it’s really that hard to be solution orientated and just add a button in the settings that allows users to choose what is best for them
Imo for users with autofill off, switching the default click item for a vault item to autofill is actually clinically insane. It seems like zero thought from product on user experience or security implications were made whatsoever before making that change!
It’s not that the autofill option is picking the wrong websites. It’s that clicking used to open up the details I need to actually interact with the website like security codes and other things and now I get unwanted autofill when I click on it even if I click nowhere near the word “fill.”
Counterintuitive design breeds insecurity so I’d just rather have a preference in the menu to click to enable “view” behavior by default instead of being conscripted into this autofill behavior I don’t want. There are so many other ways to autofill. So many.
2 Likes
This is not accurate. If you’re on a random webpage (not a login form) and are trying to click some button or link, but you unexpectedly see an inline autofill menu that is moving across the webpage (tracking your mouse movements so that the most recently used account is always positioned just beneath the mouse cursor as you move the mouse to the button), why on earth would you click on the account name, which you know causes the account credentials to be submitted to the webpage?
Click-jacking is when an exploit causes a mouse click intended for one purpose to actually be used for an action that the user did not expect. In the above example, the user can clearly see that they are clicking an account name in the autofill menu, which they know will result in autofilling of the account credentials. Thus, they expect autofilling to occur, so they are not being click-jacked, they are just being careless.
Anybody who wants a more detailed explanation can read my previous comments here and here.
1 Like
I also agree that removing consistency is not a good idea. It’s just adding unneeded pitfall to an UX that adds a charge to the user to be careful.
If you want to set the bad UX as the default, we can’t really oppose to it. Let’s hope it’s what most of the users are really wanting…
But why not keeping a setting to revert to the old behavior for the (sane 
) users that want the “view on click”?
2 Likes
Whoa. So this was done on purpose!?! Without an option to turn it off? Why is there still a Fill button then? Could that at least be switched to “View” then so we have an option to get there without the extra click of … ?
I assumed it was a bug and was just living with it for the last few versions and updating as soon as an update was available hoping that it might be fixed.
I don’t understand the change at all. Fill is never what I want (we have a hotkey for that) plus there is already a “Fill” button on the item. Why oh why would we ever want an extra click just to be able to view all the information in the item?? I have lots of information saved in iterms: notes, custom fields, sometimes you need to see the TOTP code, etc. For example, I was just on the phone with the tech support for one of my accounts and needed to verify my TOTP code over the phone. I didn’t need to copy it to the clipboard, I needed to view it in the item! I hope this will go back to being optional, it makes no sense as the default!
(For those of you who are on these forums often, where’s the best place for me to show my support for this? If this is the right place, great. If there’s somewhere else I should be posting or voting, please let me know! Thanks!)
4 Likes
The Fill button was removed, although there is a “Fill” label that becomes visible when the mouse cursor hovers above an item in the Autofill Suggestions list. If you are still seeing the old Fill button, then there may be a caching issue or a corrupt installation — you might want to try a clean re-install.
Yes, this is probably the best place — thank you for your vote.
There is also a separate (less active) feature requests here:
And there is some additional discussion in the following threads:
1 Like
That “Fill” label is a button. If there is something in an appy interface that does something besides label another control on screen, then it is in fact a button, not a label.
1 Like
It’s not a button, because the autofilling action occurs whether you click on the label or next to the label. The new “Fill” label is basically equivalent to a tooltip pop-up.
The “Fill” label does label another control — namely, the <div> that displays the item name and subtitle.
Thank you.
I hadn’t noticed that “Fill” was only showing when hovering over the item, so I was mistakenly calling it a button. I understand now that it’s trying to show you what will happen if you click on the item, and I can even see how people might find that useful. But I think it’s only necessary because clicking on an item to auto-fill is counter intuitive in the first place! For me, Fill is the least used option amongst View, Copy Username, Copy Password, and Copy TOTP.
I would much prefer that view was the default behavior when clicking an item (with or without showing “View” on hover). Honestly, I don’t even want a fill button on the item, I would prefer it was hidden behind the … menu so that I only click that option when I really, truly mean to click it.
I will hope that we have more settings options to choose from in the future. Thanks
2 Likes
Thanks for the feedback everyone. The option to click to view (instead of click to autofill) will be available in an upcoming update.
11 Likes
That’s great to see! The previous behaviour where if you click to View, and there was a giant Autofill button at the top was pretty good. I found it easy to adjust to that and served both purposes comfortably.
3 Likes
That’s great. What about the Fill button next to other icons (copy, more options, etc.)? Will that come back, or has it gone the way of the dodo?
I’m asking about this with feature requests like “Restore one-click autofill for search results that match active web page” in mind.
1 Like