Edit: After some quick research and responses, it seems password fields will not autofill. However, things like address and credit card info might.
I was looking into how autofill works and wondered why someone couldn’t create hidden address or credit card fields in a form to steal your info. I’m thinking that if the elements are correctly typed (like “address”), your password manager might fill them in.
For example, on a fake contact page:
email:____ ← would trigger autofill
message:____
[hidden] address:____ ← might autofill due to the email field?
[hidden] credit card: ____
With those hidden fields, I’m assuming they could autofill themselves?
Don’t password managers only autofill if the domain matches? Even if this worked, you’d first have to exploit the actual backend. There are easier ways to do harm at that point.
Peyton said:
Don’t password managers only autofill if the domain matches? Even if this worked, you’d first have to exploit the actual backend. There are easier ways to do harm at that point.
The concern raised here, along with DNS poisoning, is certainly possible.
Marley said: @Dez
My password manager won’t fill credentials on an HTTP site, and DNS poisoning won’t result in valid SSL unless you’re already in a bad situation.
That’s a great point. Does the browser even save credentials for non-HTTPS sites? SSL would be a barrier, but the method itself is still technically possible.
Peyton said:
Don’t password managers only autofill if the domain matches? Even if this worked, you’d first have to exploit the actual backend. There are easier ways to do harm at that point.
You’re correct, I looked into it further and domain-specific settings will only work if they match. But there are “general” settings in Bitwarden that can apply regardless of the domain, like name, phone number, address, and credit card (not CVV).
Peyton said:
Don’t password managers only autofill if the domain matches? Even if this worked, you’d first have to exploit the actual backend. There are easier ways to do harm at that point.
That used to be a thing with Android and apps using a webview, where it was possible to load a webpage and then retrieve login details after autofill.
This could technically work, but any decent password manager (like 1Password or Bitwarden) will only autofill with your permission, will ask for confirmation for credit card info, and will only fill login details for the site you’re visiting.
This attack is definitely possible. Some password managers might look out for such attempts.
This is also why it’s better to use something like 1Password, where your info is only inserted when you perform a key command or explicitly approve it. Browser autofill has its vulnerabilities.
That said, what’s the real threat here? This website can already collect your password if you made one for it, since you send it to their backend when logging in. A bigger concern is them collecting your phone number, address, etc.
@Valentine
I thought about this while filling out a form to apply for a family doctor. I typed my name, and it autofilled everything else stored in my Bitwarden account (first/last name, address, zip code, city). I wondered if they hid a credit card field, would my password manager have autofilled that too?
Whit said:
Autofill for credit cards requires you to enter the CVV code.
It also lets you choose which card to autofill if you have multiple cards saved. So, while I see this working in theory, it may not be effective for most users.
@Mika
They edited their post, but I think my response still applies. Browsers save fields for a specific URL. Pages with saved credit card numbers are likely stored at the host site and sent to the browser when needed.