Inline auto-fill menu - add setting to disable obfuscation of username in browser plugin

Sadly, I have too many similar logins to some sites, so the dots in place of the login email makes this wonderful inline auto-fill feature unusable for me. Please allow us to disable the obfuscation with a setting.

9 Likes

What’s the point of obfuscating the user name in the inline auto-fill menu? It’s visible after it’s been filled in. It’s visible in the BitWarden browser plug in.
Screenshot 2024-01-05 075559
Is there some security issue with it being visible in the inline menu?

3 Likes

@Mark_Engelhardt @MHSwizzlestick Thank you both for sharing your feedback.

@MHSwizzlestick you are correct, there is a security requirement that we do not include the full username in the menu.

The team is monitoring user feedback on this functionality and exploring ways we can improve the user experience while continuing to meet security requirements.

2 Likes

Describing it as a “requirement” makes it sound a bit like an arbitrary policy. It would be helpful for users to know what specific vulnerability this is intended to protect against.

The only thing I can imagine is that a malicious or compromised website may be able to read the list of account usernames that is injected by Bitwarden. If this is all that is being protected against, then it would typically be nothing more than a privacy issue, and a risk that some users will be willing to assume (in return for the convenience of being able to use the inline auto-fill feature).

Is there more to it than that? If showing the full usernames without obfuscation would somehow allow an attacker to access the contents of the entire Bitwarden vault, then that would dramatically change the risk-benefit calculus of a feature request like the one in this thread.

7 Likes

I would also like to second this. I have a lot of logins to the same site and need to select the right one each time. I could do this easily with Chrome’s password manager.
I’d like to be able to turn off obfuscation, and it would be also great if the list was longer and/or more compact, and searchable (or filtered to the account names that match what you started entering in the box above). Chrome has these features, it would be great to have parity!
Thank you.

3 Likes

At least make it an option. Make the current behavior default but do give an option for users to change it as it is quite irritating. What’s the point in hiding the usernames there but showing them if you click on the extension in the browser?

4 Likes

It’s handled by the obscureName function in “browser/src/autofill/background/overlay.background.ts”:

private obscureName(name: string): string

A simple, quick bypass workaround is to just return name;.

In the extension’s directory, in “background.js”, add “return e;” after “obscureName(e){”:

obscureName(e){return e;

After that, enable developer mode and load the unpacked extension.

1 Like

PLEASE, PLEASE give an option to disable it!
I have websites where I have like 20 accounts, and it’s HELL to figure out which one is which. Like WHAT security does it even serve? Once you pick it, it’s unobfuscated in the text field. It serves no purpose other than to annoy.

1 Like

I signed up just to comment on this. I like Wordle, but I don’t need to play it when I’m trying to sign into one of my email accounts! This adds zero security and a ton of annoyance. Literally two inches away on my screen is the toolbar button that has the viewable usernames. Why is it obscured in the webpage dropdown just a few pixels away? It just doesn’t make sense. Please give us the option to fix this.

2 Likes

@CurtWarden Welcome to the forum!

This is not true, although I have asked @dflinn to at least specify exactly in what way the username obfuscation improves security.

To clarify, this is done to protect against malicious code running on the website, not against “shoulder surfers”. Thus, the fact that the usernames are unobscured within the browser extension window or in the right-click context menu is not relevant, because there, Bitwarden is not injecting the information directly into a webpage.

2 Likes

@XP1 can you give me an idea where background.js on a Mac/Firefox ? I can’t find that file on my system.

Go to “about:profiles”, and open the root directory.

In the “extensions” subfolder, you need to extract the “{446900e4-71c2-419f-a6a7-df9c091e268b}.xpi” file. File path looks like:

~/Library/Application Support/Firefox/Profiles/{id}/extensions/{446900e4-71c2-419f-a6a7-df9c091e268b}.xpi

The extracted XPI contains the “background.js”.

When you “Load Temporary Add-on…”, you open the extracted folder and select any file.

Firefox will reset the temporary extensions after restart, so you will have to reload it again or use Firefox Developer or another browser.

I am with the others, this is totally useless this way and needs to change. I also have websites with several short similar logins and it is very hard to figure them out this way. I don’t care about the security we lose this way, because the alternative is to keep them in a txt file on the desktop called passwords.txt and this is surely more secure with the usernames even unobfuscated… Make it optional at least.

Somewhat cavalier; not everyone agrees. I would be happy with optional. I have no difficulty discerning which of a few options is the right one, and I can always try the next most likely.

Those who don’t agree will probably not use the overlay feature anyway. So let’s make it usable for those wo want to use it.

As I said, I am happy with optional. However, isn’t this just a workaround for failure to name items distinctly, independent of login identity? I just checked a site with multiple logins and that provides the distinction for me, in the row above the obfuscated identity.

You may want to hold off on making this call until you actually know what security you lose. @dflinn was asked about this a month ago, but has not responded. I’m paging @sj-bitwarden here in the hopes that someone else on the Bitwarden team can clarify the specific types of vulnerabilities that users would have been exposed to if the usernames were not obfuscated.

Why go to such lengths, when selecting accounts for auto-filling by Right-Click > Bitwarden > Auto-fill or by opening the browser extension window is much easier (and safer) than copying and pasting from a text file?

Or, you could use the common-sense solution that was pointed out by @Mulled7768 — simply use the vault item’s Name field to distinguish between different accounts.

2 Likes

Hi @grb I checked in on this function internally, and this was implemented from an abundance of caution - we always prioritize security and wanted to ensure we were minimizing risk. After review by a third party audit as well as our internal security team, we will be removing this obfuscation in a future release to allow usernames to be easier to distinguish from one another. I don’t have a specific timeline to share, but rest assured, it’s coming soon! :rocket:

3 Likes

At least let us decide what the usernames would look like upon obfuscation, so we could make them distinguishable. In it’s current state, the inline autofill menu is unusable for me.
I also think the website address doesn’t need to be mentioned above every username. It’s more readable than the username itself.

1 Like

@unakade Welcome to the forum!

FYI, what is shown above the username is the “Name” of the vault item, which does not have to correspond to the website address. Although the item name chosen by Bitwarden (when you use the “+” button or the prompts to save a new login) defaults to the website domain, you can edit the item name to be anything that you want.

Thus, you can make the items more easily distinguishable by customizing their “Name” values. For example, if you have two accounts on amazon.com, then you can change the default items names from www.amazon.com to something like what is shown below:

image

3 Likes