Looking into though, bitwarden matches the URI only to the top level domain. The example site has the same URI. A user entering credentials into a compromised website is equally vulnerable to this issue password manager or not. If I am served a news.ycombinator.com/fake-login, and I don’t verify that the page is wrong, Google reports here that only the built-in Chromium password manager is safe?
Looking at the linked pull request for Bitwarden[0], it is not clear that this has not been resolved but there does at least appear to be some efforts moving towards a fix. Wonders of open source!
Looking into though, bitwarden matches the URI only to the top level domain. The example site has the same URI. A user entering credentials into a compromised website is equally vulnerable to this issue password manager or not. If I am served a news.ycombinator.com/fake-login, and I don’t verify that the page is wrong, Google reports here that only the built-in Chromium password manager is safe?
Looking at the linked pull request for Bitwarden[0], it is not clear that this has not been resolved but there does at least appear to be some efforts moving towards a fix. Wonders of open source!
[0]: https://github.com/bitwarden/clients/pull/3860