Why is there a whitelist for browser that support autofill?

Im1Random · June 21, 2023, 4:13pm

I have recently noticed that Bitwarden has a hard coded list of browsers where autofill is enabled.

bitwarden/mobile/blob/master/src/Android/Autofill/AutofillHelpers.cs

using System;
using System.Collections.Generic;
using Android.Content;
using Android.Service.Autofill;
using Android.Widget;
using System.Linq;
using Android.App;
using System.Threading.Tasks;
using Android.App.Slices;
using Android.Graphics;
using Android.Graphics.Drawables;
using Android.OS;
using Android.Runtime;
using Android.Widget.Inline;
using Bit.App.Resources;
using Bit.Core.Enums;
using Android.Views.Autofill;
using AndroidX.AutoFill.Inline;
using AndroidX.AutoFill.Inline.V1;
using Bit.Core.Abstractions;

This file has been truncated. show original

I find it a bit weird to hard code only a couple supported browsers in a project since there are so many chrome based browsers and I don’t like the fact that you have to open a issue or pull request to get them added to the list. Is there any particular security reason why Bitwarden decided to do this and why not just add an option where the user can add browsers he trusts on his own?

pwseo · June 26, 2023, 11:17pm

Probably because autofill support has to be adapted to each browser.

If you take a look you’ll see there’s a list of browsers that natively support autofill, and another with apps that need a compatibility shim – there’s no way to do this other than explicitly listing application names.

Also, it’s probably a good thing that people can’t just create a browser-like malware that silently keeps info passed to them via Bitwarden’s autofill