Inline auto-fill menu - add setting to disable obfuscation of username in browser plugin

Describing it as a “requirement” makes it sound a bit like an arbitrary policy. It would be helpful for users to know what specific vulnerability this is intended to protect against.

The only thing I can imagine is that a malicious or compromised website may be able to read the list of account usernames that is injected by Bitwarden. If this is all that is being protected against, then it would typically be nothing more than a privacy issue, and a risk that some users will be willing to assume (in return for the convenience of being able to use the inline auto-fill feature).

Is there more to it than that? If showing the full usernames without obfuscation would somehow allow an attacker to access the contents of the entire Bitwarden vault, then that would dramatically change the risk-benefit calculus of a feature request like the one in this thread.

7 Likes