I’ve been changing passwords at important websites today. One site showed me an error page when I attempted to change the password. On this error page, it requests the current password to let me retry. When I used rightclick → Bitwarden → autofill to try to fill in my current password, instead of the bank’s id it shows my Google id’s (yes I have 5 Google accounts).
Seems like a bug in the Bitwarden extension. The domain in the browser address bar is usbank.com, but the Bitwarden browser extension thinks it’s Google. If I click the Bitwarden icon at the top, it does give me the correct entry for usbank.com.
Interesting. Does this happen on the login form, as well, or only on the password change form?
Would you mind sharing what URIs you have saved for the usbank.com login item in your vault, and what the match detection option is for each of them? If any (or all) URIs use the Default match detection rule, please also share what setting is configured for your default match detection method.
Finally, if you have ever made changes to the Global Equivalent Domains (or defined Custom Equivalent Domains) in your Account Settings, please provide the relevant details.
The screenshot in the OP shows a much shorter URL https://onlinebanking.usbank.com/errorPage which occurred after an unspecified failure in changing the password on the initial password change form. It is the only page where I’ve observed the incorrect Bitwarden behavior. In trying to reproduce the problem to make this reply, I’ve been unable to reach that specific error page (any error in changing the password stays on that longer initial URL). I’ve also been unable to change my usbank password at all today for reasons I don’t understand that seem unrelated to Bitwarden. There may be some funky stuff happening with the usbank web app today.
My vault entry for usbank is https://usbank.com/ with no other URIs. It uses Default Match Detection. In Settings, Default URI Match Detection is set to Base Domain. I have no Custom Equivalent Domains and AFAIK have never modified the Global Equivalent Domains.
It’s a very odd problem you’ve found, for sure. I’m wondering if the USBank “error” page was serving some content from a Google server in an embedded iframe, and that this may have confused the Bitwarden matching algorithm?
What URIs are stored in the five Gmail login items in your vault? (in particular, what base domains are stored there, assuming you have the matching set to Default for those as well?)? Is it just google.com?
If you ever encounter this behavior again, I would suggest saving the HTML code of the web page, so that it can be examined later.
I’ll be trying again in a day or two to change my password at that site. I’ll first try it the same way to see if this problem recurs. If so I will definitely grab the web page source. I’ll also peek at the developer tools window. But I won’t spend too much more time on it as my real goal here is to get that password changed, so I’ll probably search for their “I forgot my password” link which should take care of it for me.
I too have been experiencing this. I’ve only been using Bitwarden for about 24 hours, trialing as a potential replacement for LastPass.
What I believe is the root cause is the most recently loaded/active tab or website in Chrome is what the extension is presenting as my autofill options. I am often operating multiple tabs across multiple windows so when I switch between two newly loaded tabs, Bitwarden’s autofill is presenting me with credentials for the last one to load rather than the active tab I am on.
I have been able to reproduce this issue intentionally a few times.
I’ve included an image showing having reproduced this issue.
I opened zoom’s website and went to the login page
Moved the tab to a new window
Launched a different website and went to that login page on the original window.
When I returned to the Zoom tab, it was showing me the credentials for Formstack.
Docking the Zoom tab to another window or refreshing it both result in the autofill credentials being displayed correctly.
I have tried the exact same steps in a different instance of Chrome which is still configured with Lastpass and it does not present with the same problem.
