Security Improvement: Hotkey autofill when vault is not unlocked should open popup tab in same browser window

Feature name

  • Security improvement for popup credentials prompt in incognito mode.

Feature function

When using the browser extension hotkey autofill (e.g., Ctrl-Shift-L in Chrome), a new “pop-up” tab is opened for entering vault credentials (master password or PIN) if the vault is not currently unlocked. However, if the user is using an incognito browser, the pop-up tab is not opened in the same browser window — instead, the pop-up tab is opened in a new browser window that is no longer in incognito mode.

Therefore, this request is to modify the launching of these pop-up tabs so that they are opened in incognito mode if the autofill hotkey is used while in an incognito web browser. In fact, it may be an even better idea to always open the pop-ups in incognito mode (independent of whether the user was browsing incognito or not).

Although incognito mode is not a security panacea by any stretch of the imagination, using incognito mode does provide a quick and easy way to ensure that other (potentially malicious) browser extensions are not loaded, that the browser’s autosave functions are disabled, among other security benefits. These safety features are defeated when the unlock/login prompt is opened in a regular browser window instead of in the incognito browser.

Steps to reproduce

  1. Enable Bitwarden browser extension to run in Incognito Mode.
  2. Ensure that the browser extension’s vault is locked.
  3. In an Incognito browser window, navigate to a login web page for any account.
  4. Use the login autofill hotkey (Control-Shift-L).

Expected behavior

The popup tab for unlocking the vault should be opened in the current incognito browser window.

Actual behavior

The popup tab for unlocking the vault is opened in a new browser window, which is not incognito.

Version

Bitwarden browser extension for Chrome, Version 2022.6.1