clients icon indicating copy to clipboard operation
clients copied to clipboard

Published 20 hours ago verified publisher icon bitwarden

Invasive when not even in use

Open garygreen opened this issue 6 years ago • 14 comments

When using the Chrome browser extension, when you click on a checkbox on the page the element gets a:

data-com.bitwarden.browser.user-edited="yes"

Attribute added to it.

image

This page has:

  • NO credentials on it (no password input, it's a contact form, not a login form)
  • Bitwarden is not in use or been interacted with manually at all.

So my question is, isn't this a bit invasive? Why is Bitwarden seemingly interested in form elements on a page that it should have no business in? It get's me worried.

IMO, Bitwarden should only ever initialise MINIMAL code in order to determine if the page contains a form with credentials. In all other instances, there should be no code or invasive elements or listeners added to the page.

garygreen avatar Sep 12 '18 13:09 garygreen

You can view the autofill code that does this here: https://github.com/bitwarden/browser/blob/master/src/content/autofill.js

kspearrin avatar Sep 12 '18 13:09 kspearrin

It even does it when your using something like CodePen:

image

https://codepen.io/garygreen/pen/aaGBbV

It's pretty ridiculous that it's this invasive.

garygreen avatar Sep 12 '18 13:09 garygreen

I agree this is super annoying. I'm developing a website and bitwarden is modifying my html when I haven't even clicked on the bitwarden plugin and the page itself has zero password fields on it.

mirraj2 avatar Feb 17 '19 02:02 mirraj2

@kspearrin any news on this? I still find it a bit concerning how much Bitwarden chrome extension interferes with all pages. It should only inject/enable the most minimal amount of code when it needs to, not on every page load.

garygreen avatar Apr 12 '19 14:04 garygreen

This leaks the fact that the user is using Bitwarden as their password manager to the server.

ianling avatar Feb 23 '21 20:02 ianling

Had this just now as well, this is quite a serious issue, especially when using contenteditable.

Because of this, I will restrict only to specific sites.

ScalaWilliam avatar Apr 03 '21 20:04 ScalaWilliam

This leaks the fact that the user is using Bitwarden as their password manager to the server.

How so? Does this not just manipulate data on the DOM, locally?

NOVATechnocrat avatar May 24 '21 20:05 NOVATechnocrat

This leaks the fact that the user is using Bitwarden as their password manager to the server.

How so? Does this not just manipulate data on the DOM, locally?

Yes, that's what it does. And JavaScript running locally can easily detect this and send it to the server.

climbTheStairs avatar May 25 '21 07:05 climbTheStairs

Hi @garygreen, We're cleaning up our repositories in preparation for a major reorganization. Issues from last year will be marked as stale and closed after two weeks. If you still need help, comment to let us know and we'll look into it. Thanks!

bitwarden-bot avatar Apr 12 '22 19:04 bitwarden-bot

Extension interferes, example here : image

Nextcloud extension https://github.com/shiningw/ncdownloader

emericv avatar Apr 12 '22 19:04 emericv

This issue should still be addressed as it also breaks functionality on some websites. Besides what @emericv posted, when Bitwarden tries to mark a contenteditable input as user-edited, it causes an Index Error. See https://github.com/ueberdosis/tiptap/issues/2697

pkkid avatar Apr 12 '22 19:04 pkkid

I'd love for my password manager to not break my websites ✌️

Please fix this! <3

SarcevicAntonio avatar Apr 26 '22 09:04 SarcevicAntonio

Would love to see fix for this BitWarden.

vedernikovalex avatar Aug 07 '22 09:08 vedernikovalex

Hi all, thank you for bringing this to our notice; looks like this has been lingering for a while. I'd pass this on to the team and we will make time to take a look!

dbosompem avatar Aug 08 '22 14:08 dbosompem

@dbosompem Do you know when this will be resolved??

suchintan avatar Oct 02 '22 21:10 suchintan

@dbosompem Do you know if this issue is on any type of roadmap? It causes issues on certain sites for me.

hkbertoson avatar Nov 04 '22 21:11 hkbertoson

@dbosompem please "take a look". While this is not the most serious issue, it is pretty serious.

flexagoon avatar Nov 04 '22 23:11 flexagoon

Hi all, apologies nearly missed this. Thanks for the callout. I'd have a discussion with the team on when we can resolve this, as we might have to take a look at the autofill script. Apologies for the inconvenience caused and thank you for your patience so far. I'd reply to this thread once there's a known ETA for this fix.

dbosompem avatar Nov 07 '22 15:11 dbosompem

Hi all, apologies nearly missed this. Thanks for the callout. I'd have a discussion with the team on when we can resolve this, as we might have to take a look at the autofill script. Apologies for the inconvenience caused and thank you for your patience so far. I'd reply to this thread once there's a known ETA for this fix.

This would be great! If we could even just blacklist certain sites. That would be great.

hkbertoson avatar Nov 07 '22 15:11 hkbertoson

@dbosompem I looked at the autofill source code and it doesn't look like the userEdited variable is even used anywhere in the code.

flexagoon avatar Nov 07 '22 18:11 flexagoon

@dbosompem I believe I fixed the issue with #4001 I tested it out and nothing seemed to be broken.

hkbertoson avatar Nov 07 '22 20:11 hkbertoson

@hkbertoson thank you for the kind consideration. The team will make time and take a look at the PR.

dbosompem avatar Nov 09 '22 14:11 dbosompem

@dbosompem Any updates on this?

hkbertoson avatar Dec 07 '22 13:12 hkbertoson