• Swarfega@lemm.ee
    link
    fedilink
    English
    arrow-up
    9
    ·
    9 months ago

    I’ve been using this for a few weeks now and really like it. However, it doesn’t replicate the keyboard combination where it adds a TOTP after pasting your credentials ☹️

  • Pasta Dental@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    9 months ago

    Pretty cool feature, funnily enough, Proton pass had this since basically the begining, but I don’t think there a shortcut like bitwarden, now BW has both! Though as much as I like Bitwarden, they really need to work on their speed and UI design, I find the apps to be slow and outdated looking, I much prefer proton pass in this area.

  • aeharding@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    10
    ·
    9 months ago

    Thanks I hate it. Stop fucking with webpage HTML. It usually ends up looking shitty, especially if the webpage has their own buttons, like for show/hide password.

    • Atemu
      link
      fedilink
      English
      arrow-up
      9
      ·
      9 months ago

      Chill, the feature is fully optional.

      • aeharding@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        7
        ·
        9 months ago

        Yeah, it’s a brand new feature being rolled out. I would be very surprised it it wasn’t enabled by default in the future, like many other password manager extensions.

      • NarrativeBear@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        16
        ·
        edit-2
        9 months ago

        Some phishing websites can call on auto-fill to grab your passwords while presenting themselves as real websites.

        This means a phishing link in an email that is supposed to take you to your gmail login page (as a example) may actually be a fake page that just captured your password. And because the link was sent to your email the attacker already has your email. The worst part is you may not have noticed your password was just “taken”.

        • cron@feddit.de
          link
          fedilink
          English
          arrow-up
          25
          ·
          9 months ago

          I don’t think so. If someone sends you a link to a misspelled PayPal website, the password safe will NOT autofill the password.

          • NarrativeBear@lemmy.world
            link
            fedilink
            English
            arrow-up
            6
            arrow-down
            2
            ·
            9 months ago

            Correct, as auto-fill is based on the exact URL address. Though if a phishing site somehow managed to spoof that address, your auto-fill may give away some sensitive info before you catch it. Though this makes no difference if you enter it manually on a phishing website and press enter.

            Here is another way auto-fill in some cases on legitimate sites can pull extra information from your auto-fill with invisible auto-fill boxes on webpages.

            https://www.theguardian.com/technology/2017/jan/10/browser-autofill-used-to-steal-personal-details-in-new-phising-attack-chrome-safari

            • towerful@programming.dev
              link
              fedilink
              English
              arrow-up
              14
              ·
              9 months ago

              If someone was able to spoof an https domain that wasnt flagged by a modern browser, then that entire company has been breached. Because the attacker has access to their certificate or supply chain.

              Or the attacker has loaded their own CA certs into your browser/OS, so it automatically trusts these self-signed certs. In addition, they would also need to intercept DNS requests to replace their own malicious IP address, or NAT redirect the real IP to their malicious IP. Both of which mean your computer has been compromised, and your network/isp has been compromised.

              Or a trusted CA private key has been cracked. And the attackers can intercept DNS, or NAT redirect. In which case a huge chunk of the internet is probably fucked until OS/browsers can push an emergency revocation update.

              Maybe the website has an XSS vulnerability or similar. Im always surprised to read about those still happening in 2024, but i guess it still happens.

              The article linked still needs the above, or to be a super untrustworthy website that you are entering details into which is trying to extract these details from you.
              Considering that article was 7 years ago - and considering bitwardens reputation - i imagine they have mitigated the possibility of autofilling inputs that are not actually visible on the screen.

              Luckily, they have also thought of possible further vulnerabilities like this.
              The autofill is disabled by default.
              It reads like it only autofills associated credentials when you select a credential (so wont also fill in addresses and stuff if you select a login identity, unless you specifically select an address identity to autofill with).
              And it has an options to autofill when you focus into a form element, or only if you click the injected bitwarden icon on a form element.

              I imagine its safer to not use such conveniences. But security is always a balance against convenience. Luckily, it wont impact unsuspecting users. And i trust bitwarden to have done this sensibly, so im going to try it for a while

            • Carlos Solís@communities.azkware.net
              link
              fedilink
              English
              arrow-up
              1
              ·
              9 months ago

              Oh so THAT is why the add-on defaults autocomplete to “off” and warns about the possibility of that exact attack as the reason why it’s off by default.

        • InfiniteFlow@lemmy.world
          link
          fedilink
          English
          arrow-up
          9
          arrow-down
          1
          ·
          9 months ago

          Quite the contrary. If you have autofill on and accidentally visit amaz0n.com or whatever, it won’t autofill, and thus signal you are not where you thought you were.

        • Herbal Gamer@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          6
          ·
          9 months ago

          if I’m entering my details on a phishing website anyway, it shouldn’t really matter wether or not I typed it in or used Autofill, right?

          • cron@feddit.de
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            9 months ago

            There might be a vulnerability if the attacker controls one part of a website and can embed a form there. Then the password safe might enter and send the data to the attacker.

            I don’t think that this is a very likely attack, but at least in theory this could work.

            Edit: Bitwarden protects against such attacks:

            The auto-fill menu will only fill credentials when a user selects a form field they want to interact with. This protects users from potentially malicious form fields or web pages and ensures sensitive information will never be populated without user knowledge.

            • 4am@lemm.ee
              link
              fedilink
              English
              arrow-up
              7
              ·
              9 months ago

              If an attacker can control the content delivered from a valid domain’s web server, nothing at all is going to protect you.

        • melroy@kbin.melroy.org
          link
          fedilink
          arrow-up
          2
          ·
          9 months ago

          It doesn’t get auto-filled, despite the title. It seems like there is just a drop-down menu. According to the video at least.