Hi there, I use the Firefox Bitwarden browser extension. When I press Command + Shift + L to autofill credentials, if I’m not already logged into my vault, a Firefox pop-up window appears prompting me to login. It looks like this: Imgur: The magic of the Internet
I’m wondering if this login flow is vulnerable to phishing. For instance, if a malicious website has javascript that creates a keyboard listener such that when Command + Shift + L is pressed, a pop-up window appears that looks identical to the Bitwarden login pop-up window, they might trick me into entering my Bitwarden master password into the malicious website.
Is such a scenario possible? What do you all think of the risks here?
An interesting proposition, the technicalities I am not qualified to evaluate. Some work-arounds to mitigate the risk (if it turns out to be real) may include doing one or more of the following:
Activate 2FA on your Bitwarden account, preferably using a passkey.
Set your Vault Timeout Action to “Lock” instead of “Log Out”, and enable unlocking using a PIN or biometrics (instead of your master password).
Always manually unlock your vault before attempting to use the Ctrl+kbd>Shift+kbd>L shortcut; if you see the unlock/login prompt when using the shortcut, close the pop-out window, manually open the extension, and unlock/login there.