Thanks for linking this report — and I especially commend you for linking the original research report instead of some blog article or sensationalized “news” story. Marek Tóth (the author of this report) is a security researcher whom I respect, and I would take what he says seriously. The report is quite extensive, however, and I have only skimmed it. I would say that my initial take-aways are:
- Yes, you should be worried about click-jacking, but no need to panic — read on:
- A fix is already in progress; Bitwarden has just merged PR #16063, which will stop exploits based on null opacity, so this should be available in the next version (2025.7.2?). However, not all versions of the vulnerability require manipulation of opacity (see “Overlay” section).
- All versions of this exploit require the extension to be unlocked while you are interacting with some web page that is not a login page; thus, you will be protected if you follow best practices to keep your vault locked (using a short vault timeout) while it is not being actively used.
- The risk can be mitigated by making your URI match detection method more specific than “Base Domain”. For example, if you are interacting with a compromised webpage hosted at
poorly.secured.subdomain.example.com, then using “Base Domain” matching for yourexample.comcredentials will make it possible for them to be stolen — to protect yourself, you should store the exact URL of theexample.comlogin page only (for example,https://login.example.com), and set URI matching to “Host”, “Starts With”, or “Exact”. - The risk can be eliminated by not using inline autofill menus (disable “Show autofill suggestions on form fields” under Settings > Autofill). The report suggests that users should copy & paste credentials instead, but in my opinion, it would be safer to use alternative autofill methods (keyboard shortcut, opening the browser extension, or using the right-click context menu) or even drag-and-fill, since there are known vulnerabilities for credentials copied to the system clipboard. If you can’t live without inline autofill, you should be able to at least reduce your risk by enabling the option “Display suggestions when icon is selected” (this eliminates at least the 1-click exploits, since autofilling now will require 2 clicks).
- The risk can be mitigated by keeping an eye on the Bitwarden extension icon at the top of the browser window. If there is a number displayed in a badge overlaid on the Bitwarden icon, then there is at least one set of login credentials that can be stolen by the active webpage (assuming that you have inline autofill menus enabled). Thus, if you see such a badge counter when the browser is not displaying a login form, then you are vulnerable (i.e., you need to fix the URI match detection method for any vault items that appear in the “Autofill Suggestions” section at the top of the browser extension window). Note, however, that version 2025.7.0 has a bug that sometimes prevents the badge counter from being displayed; a recently merged fix for this bug should be available in the next release.
- The report author has proposed another mitigation (here), which involves restricting the extension’s access to the webpage (but this introduces 2 additional clicks each time that you wish to autofill).