Browser: Double-clicking login autofills the incorrect credentials

Created on 16 Sep 2020  ·  6Comments  ·  Source: bitwarden/browser

Describe the Bug

If autofill is enabled, double-clicking a login from the extension often fills credentials from a different login which matches the site URL.

When using the search box to find and launch a login URL, it can reasonably be expected that whichever specific login a user double-clicks is the particular set of credentials that the user wants to use in that instance. Autofilling credentials from a DIFFERENT login than the one clicked is, IMHO, not only a bug, but a security risk, since the user may unknowingly log in to a site using the wrong set of credentials and then proceed to use the site under the wrong persona.

Steps To Reproduce

This bug manifests if the user has multiple logins for the same target website. To see the problem:

  1. Use the extension drop-down window to search for a site at which you have multiple logins (eg. usernameA, usernameB, usernameC).
  2. Double-click on the login for "usernameA" to launch the site.

Expected Result

The credentials for "usernameA" should be autofilled, since that is the specific login that was double-clicked.

Actual Result

The credentials for "usernameA", "usernameB" or "usernameC" may be autofilled, based on whichever login was most recently used.

Environment

  • Operating system: Windows 10
  • Browser: Chrome 83.0.4103.116 (Official Build) (64-bit)
  • Build Version (go to "Settings" → "About" in the app): 1.46.1
picture kriswilk

All 6 comments

@xusoo would appreciate some help taking a look at this

cscharf picture cscharf on 16 Sep 2020
👍1

@cscharf This is not related to new cycling functionality AFAIK. The problem I believe (looking at the code) is that when you launch a site from the extension popup, it really doesn't send which login you want to use, it just opens a new tab with the URL from the selected login. And then, if you have auto-fill on page load enabled, it will try to load the last used login (not the one you clicked). In fact, if you don't have auto-fill on page load enable, it won't fill up anything.

So it's just how Bitwarden works. This would be a nice feature, but it's not a bug I guess.

xusoo picture xusoo on 22 Sep 2020
👍1

Thank you so much @xusoo for looking at that (cc: @addisonbeck), I believe we honestly missed a key word from the OP ("launch"):

Double-click on the login for "usernameA" to _launch_ the site.

@kriswilk , is this an accurate summary of what you're experiencing? If so, it seems like a reasonable feature request in regards to that behavior, would you please consider closing this and instead opening a feature request in our community forums?

cscharf picture cscharf on 22 Sep 2020

Actually, I sort of suspected that the current behaviour was simply to launch the site, and considered just filing a feature request. However, I entered this as a bug report because the average user with autofill enabled will (almost certainly) expect that the credentials of the login they selected are those that are filled.

Even though I know about this problem I've been caught by it many times, logging in with the wrong credentials.

Please think about this issue and if you really believe it's just a feature request then I'll switch my focus there. But I do think this represents a security risk and that it should be addressed more directly.

kriswilk picture kriswilk on 22 Sep 2020

Thanks @kriswilk, I appreciate it. I do feel this would be a great feature request and a viable enhancement to the user behavior of Bitwarden's browser extension. As far as security risk, if you have multiple accounts in your vault for the same site, I do wonder what use-case could cause a security issue there since you are autofilling credentials for the site (where you have access to the credentials in your vault which are saved for that site).

Ultimately our community and customer success teams give a lot of focus to our community forums and highly voted feature requests which we review as part of our product and roadmap discussion; I'm afraid this may get buried here on Github as a low-priority enhancement/issue. I'll leave it up to you how you would like to move forward. Thanks again for the detail, follow up and consideration!

cscharf picture cscharf on 22 Sep 2020

@kriswilk @xusoo thank you both for the help here! Should be fixed on next release 😁

addisonbeck picture addisonbeck on 13 Oct 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

LeGiTiM picture LeGiTiM  ·  51Comments
nehalvpatel picture nehalvpatel  ·  55Comments
jacopo-j picture jacopo-j  ·  306Comments
WardsParadox picture WardsParadox  ·  139Comments
Dobby16 picture Dobby16  ·  17Comments