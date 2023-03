Password extensions autofill credentials on any webpage users have saved their credentials by design. However, the extension will perform this function in an iframe without performing a "Same-origin Policy" check. So if a page has a malicious iframe from a different domain, the manager will unknowingly hand over your credentials for them to be sent to a hacker's server. They can even fill out the login form pre-emptively without user interaction. In Bitwarden's this is a setting called "Auto-fill on page load."

Most password managers have checks in place to at least warn users of potential dangers. However, Bitwarden does not prevent or warn that an iframe from a different domain is potentially stealing credentials. It assumes that all iframes on a login page are safe. It said as much in a 2018 security report, but more on that later.