Thanks for linking this report — and I especially commend you for linking the original research report instead of some blog article or sensationalized “news” story. Marek Tóth (the author of this report) is a security researcher whom I respect, and I would take what he says seriously. The report is quite extensive, however, and I have only skimmed it. I would say that my initial take-aways are:
Yes, you should be worried about click-jacking, but no need to panic — read on:
A fix is already in progress; Bitwarden has just merged PR #16063, which will stop exploits based on null opacity, so this should be available in the next version (2025.7.2?). However, not all versions of the vulnerability require manipulation of opacity (see “Overlay” section). [Update: All vulnerabilities discovered by Marek Tóth have been patched as of version 20205.8.2.]
All versions of this exploit require the extension to be unlocked while you are interacting with some web page that is not a login page; thus, you will be protected if you follow best practices to keep your vault locked (using a short vault timeout) while it is not being actively used.
The risk can be mitigated by making your URI match detection method more specific than “Base Domain”. For example, if you are interacting with a compromised webpage hosted at poorly.secured.subdomain.example.com, then using “Base Domain” matching for your example.com credentials will make it possible for them to be stolen — to protect yourself, you should store the exact URL of the example.comlogin pageonly (for example, https://login.example.com), and set URI matching to “Host”, “Starts With”, or “Exact”.
The risk can be eliminated by not using inline autofill menus (disable “Show autofill suggestions on form fields” under Settings > Autofill). The report suggests that users should copy & paste credentials instead, but in my opinion, it would be safer to use alternative autofill methods (keyboard shortcut, opening the browser extension, or using the right-click context menu) or even drag-and-fill, since there are known vulnerabilities for credentials copied to the system clipboard. If you can’t live without inline autofill, you should be able to at least reduce your risk by enabling the option “Display suggestions when icon is selected” (this eliminates at least the 1-click exploits, since autofilling now will require 2 clicks).
The risk can be mitigated by keeping an eye on the Bitwarden extension icon at the top of the browser window. If there is a number displayed in a badge overlaid on the Bitwarden icon, then there is at least one set of login credentials that can be stolen by the active webpage (assuming that you have inline autofill menus enabled). Thus, if you see such a badge counter when the browser is not displaying a login form, then you are vulnerable (i.e., you need to fix the URI match detection method for any vault items that appear in the “Autofill Suggestions” section at the top of the browser extension window). Note, however, that version 2025.7.0 has a bug that sometimes prevents the badge counter from being displayed; a recently merged fix for this bug should be available in the next release [Update: Bug fixed in version 2025.9.0.].
The report author has proposed another mitigation (here), which involves restricting the extension’s access to the webpage (but this introduces 2 additional clicks each time that you wish to autofill).
grb, I was going to basically type the post you did so thanks for doing the work, LOL!
Additionally, some prefer the simplicity of storing their TOTP’s in Bitwarden but having them in a separate place is a much better security posture. Mine are on YubiKeys and its a simple process to handle the TOTP’s “elsewhere” from Bitwarden. Between offsite TOTP’s and using YubiKeys for every account you can the loss of a password would basically be a non-event. Of course you don’t want password loss, but unless the adversary can acquire the second factor it won’t really help them much. My .02
Click on one of the buttons in the pop-up (or anywhere else in the browser window).
If the pop-up form doesn’t respond (nothing happens, no matter where you click), then you are not vulnerable to that particular version of the exploit (a 1-click version based on opacity manipulation) — you could still be vulnerable to other variants of the exploit.
Otherwise, if the pop-up closes, you will see your stolen credentials displayed.
Thank you so much for the detailed and speedy reply! That makes me feel a lot better.
I’ve disabled inline autofill as per your 5th bullet point.
I must admit I’m a bit lazy and have a longer timeout on my vault locking than I really should; I’ll fix that too.
And that’s a good point about the number on the extension icon too: a quick flick through open tabs reveals about half show 1 or more, and several show at least 3. So there’s some work to do to limit this to login pages: again I’m probably quite lazy about this and use the default ‘base domain’ matching.
My understanding is that the patch (PR #16063) only addresses exploits based on opacity manipulation (i.e., transparent form elements), but that users who enable inline autofill menus may still be vulnerable to click-jacking using “Overlay” techniques.
Could you please ask one of the devs (@jprusik?) to comment on this?
While it is great that this has been fixed (partially at least), can you explain a little bit why it took this long to fix – according to the report bitwarden knew of those issues since April. Also what decision led to the “low severity” rating on hackerone?
Also when you say:
The risk can be mitigated by making your URI match detection method more specific than “Base Domain”.
This is only true for passwords, since card & identity data is not linked to URLs right?
@apollo13 Welcome to the forum! Your comment seems to be addressed (at least in part) to me, so I should clarify that I do not work for Bitwarden; although I volunteer as a forum moderator, I am just a Bitwarden customer, like you.
This would be an accurate observation. However, you should be able to eliminate the risk to credit card and identity data by disabling the options “Display cards as suggestions” and “Display identities as suggestions”, respectively (under Settings > Autofill > Show Autofill Suggestions on Form Fields).
The bullet point about the extension icon badge counter in my previous comment obviously also applies only to login items, but all other bullet points in my comment should apply equally to credit card and identity items.
Thank you for the clarification @grb, in addition to your previous comment I think it would be also worth to point out that:
The vulnerability is way more likely to be exploited for credit/identity card data than for logins since the credit card data can be filled on every website.
Extracting login data requires pre-existing vulnerabilities on the target domain (or subdomains) – how likely that is strongly depends on the domain. The worst case obviously being domains that allow you to host usercontent on a subdomain since you don’t even need a vulnerability.
The recommendation to copy&paste passwords comes with it’s own set of problems: It is now up to you to verify that you are entering your credentials on the correct page which can be hard sometimes (IDN…, but you can configure your browser to show the punycode ;))
If this is so why no mention at all in the release notes. It is a big issue to leave under “bug fixes”
If it is not fixed why have you said it has?
People need visibility of security issues to evaluate their security posture not silence. Can you point me towards an article from Bitwarden discussing this? Seems like an urgent out of band fix should be made.
Hi @marektoth, please continue to submit security issues and any updates to our security team through HackerOne or by reaching out to security@bitwarden.com so they can be reviewed by the correct people.