Browser: Autofill shows random login credentials from vault

Created on 11 Jun 2020 · 7Comments · Source: bitwarden/browser

Autofill is showing me credentials from my vault not related to the website i want to login. It seems that the addon shows credentials from sites i visited before. It doesn't matter i'd logged in or not.

Steps to reproduce (with Firefox)

Install addon version 1.44.3
Start fresh instance of Firefox
Visit Site "A" and log in
Visit Site "B" and Autofill should show credentials for Site "A" and Site "B"
Visit Site "C" and Autofill should show credentials for Site "A", "B" and "C"

I checked out the source and built 1.44.2, installed it and could not reproduce this behavior in that version. Maybe the issue in 1.44.3 could come from the changes made for #1275 ?

Setup:

Firefox 77
Manjaro Linux // KDE Plasma

In https://old.reddit.com/r/Bitwarden/comments/h0dmwb/firefoxaddon_autofill_list_growing_after_serveral/ people also reporting this issue on Windows:Firefox and MacOS:Brave

Source

sczsh

Most helpful comment

Hi @clayadams5226
i also currently use the latest release (1.47.1) and the issue no longer appears.
Thank you very much!

sczsh on 16 Dec 2020

👍2

All 7 comments

I also have the same issue on Linux/Firefox 76.

Default URI Match Detection is set to "Host".

It also shows "Vault is logged out" before the other hosts.

Preisschild on 11 Jun 2020

I have not been able to reproduce the issue. We've had some internal users also experience it, but have not been able to reproduce it reliably.

kspearrin on 11 Jun 2020

Same issue on Chromium based EDGE browser in Windows. Right click and the "Autofill" shows "Vault is Logged Out" and it shows ALL logins in the Bitwarden database, not just the ones for that site.

Interesting to note, that I have another 'instance' of the Edge browser, logged into my M$ account. That one shows the correct context menu...

_What makes it work?_
Selecting the option: _"Allow in InPrivate" If you select this option, your browser history may still be recorded. Edge can't prevent the extension from saving your browser history, even in InPrivate mode._

Once "Allow in Private" is checked, you can uncheck this, and the browser extension continues to work correctly...

shanghaiknight on 11 Jun 2020

Once "Allow in Private" is checked, you can uncheck this, and the browser extension continues to work correctly...

I can confirm this for Firefox 77 on Linux. Even if you uncheck and recheck "Run in Private Windows" the issue seems gone.

Steps:

Firefox is set to "Never remember history"
Fresh Installation of the Bitwarden Firefox addon 1.44.3
Allow the addon to run in private mode

After these steps, the issue occurs. Now:

Open addon settings
Switch on "Run in Private Windows" from "Allow" to "Don't Allow"
Switch on "Run in Private Windows" from "Don't Allow" to "Allow"

The issue no longer occurs. I had to reinstall the plugin to reproduce the issue again

sczsh on 12 Jun 2020

Issue still present on 1.45. Above mentioned workarounds work, but the issue returns when you log out and log in again. Just locking and unlocking the vault does not seem to cause this problem.