Bitwarden wants to protect users from phishing attacks with new autofill feature

(Image credit: Bitwarden)

Bitwarden has updated its autofill tool to help prevent users from having their credentials stolen in web page phishing attacks.

The open source password manager will now provide a menu when clicking on login form fields, giving you a list of possible autofill candidates from your vault to choose from. This also means that login fields will no longer be filled in automatically when you first load up a login page. 

In addition, users will now have the option to protect their autofill credentials with an extra password, to make sure they aren't automatically filled by a malicious third party.


The change to the autofill function is a response to the disclosed vulnerability in websites that use iframes. 

Iframes allow for one webpage to be embedded within another, useful for inserting ads or video content within a single page. Popular websites such as Apple's and its iCloud cloud storage also use them for login fields.

However, it was found that threat actors could use malicious iframes containing form fields to steal credentials, as autofill would input the credentials straight away into said form fields. 

At the time, Bitwarden responded by saying that the risk was low, and that allowing autofill was a convenience worth having for access popular sites, like those of Apple and iCloud. It also noted that autofill is disabled by default, and a warning is displayed explaining the potential risks when users go to turn it on.

However, soon after it only allowed its autofill function to operate in iframes on trusted domains. And it seems that Bitwarden's new autofill precaution is yet another way to address the concern.

In order to make the new autofill menu user-friendly, it will remain on top of all other elements on a page, and will also reposition itself according to the size of the page and whereabouts form fields appear. Users will also be able to navigate through the list of credentials in the autofill menu using the keyboard in addition to a mouse.

There are various other parameters users can adjust in the autofill settings of their Bitwarden browser extension too.


Lewis Maddison
Staff Writer

Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers. 

His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.

He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.