Hot Take Bitwarden Autofill Flaw can let Hackers Steal Passwords using iframes

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Bitwarden's credentials autofill feature contains a risky behavior that could allow malicious iframes embedded in trusted websites to steal people's credentials and send them to an attacker.
The issue was reported by analysts at Flashpoint, who said Bitwarden first learned of the problem in 2018 but chose to allow it to accommodate legitimate sites that use iframes.

Although the auto-fill feature is disabled on Bitwarden by default, and the conditions to exploit it aren't abundant, Flashpoint says there are still websites that meet the requirements where motivated threat actors can attempt to exploit these flaws.

(Un)conditional auto-fill​

Bitwarden is a popular open-source password management service with a web browser extension that stores secrets like account usernames and passwords in an encrypted vault. ... ... ...
 
Last edited by a moderator:

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Should Bitwarden users be concerned by this? What do they mean by not changing the iframe functionality? Was there another proposed method for handling iframes?
Responding to Flashpoint's second report about the URI handling and how auto-fill treats subdomains, Bitwarden promised to block autofill on the reported hosting environment in a future update but do not plan on changing the iframe functionality.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
True, but how often do users encounter them? And how?
Mainly unexpert pirated users but there are other ways too, I think. Read a Crowdstrike blog the other day where they said that many threat actors are moving away from Ransomwares to Data exfiltration techniques.
Your way of storing passwords is the safest as you wrote in your config "Little black book + brain.exe."
 
  • Like
Reactions: oldschool

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
From the comments on that article:
Why is this a "flaw" with Bitwarden?

Auto-fill wasn't on by default the many times I've set it up (for myself and others). Is it a flaw with seatbelts that if you choose not to use them you can go through the windshield?
Not a flaw. A risky feature that they warn you with big scary letters before you're able to turn it on.
 
F

ForgottenSeer 98186

If no auto-fill in BW then why use a PM?
With BW you click on the login in the PWM and it will fill the username and password.

The security issue is when you navigate to a webpage and set the password manager to autofill without clicking any login button. In that case, the auto-fill will fill whatever fields are available - including invisible (malicious) ones.

I personally do not use a PWM to autofill as I know it is an unsafe practice. I am not that lazy to copy-paste passwords and type in the user name. Plus a lot of websites design their login authentication to prevent autofill by PWM, so having the feature is not much of a convenience nowadays.

Is auto-fill by other PMs equally dangerous?

:rolleyes:
Absolutely. Even KeePass with the autofill plugin.
 
  • Like
Reactions: HarborFront

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
FlashPoint security researchers recommend that Bitwarden users disable the Auto-Fill on page load feature and set the Default URI Match Detection setting to Host or Exact.
This will reduce exploitation of the vulnerability via subdomains at hosting providers.
It should be noted that credential disclosure is not prevented when a web application embeds potentially attacker-controlled iframes in a login page.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Bitwarden's fix
Bitwarden created a fix for the issue that is documented on the company's official GitHub website. Bitwarden engineers addressed the issue by changing how autofill on page load works. It will still fill out login data automatically, but only on trusted domains. When users fill out data manually, they do get a warning prompt if the iframe is untrusted.

In other words, Bitwarden's auto-fill functionality has the following characteristics now:
  • Auto-fill on page load is disabled, just like before.
  • When a user enables the feature, Bitwarden will use the feature only for trusted domains and URLs that the user added specifically to the application. Trusted domains include domains that match the URL the user visited in the browser.
  • Bitwarden users who use manual auto-fill, get a warning if they try to fill in an untrusted iframe. The application displays the URL in a popup, giving the user the option to proceed or cancel.
Bitwarden says that this "eliminates the iframe attack vector while still allowing convenient autofill functionality for sites that have trusted iframes".

Bitwarden users who have autofill on page load enabled do not need to do anything to benefit from the new feature. Next week's Bitwarden update includes the updated autofill on page load logic for all users of the password manager.
 

Oxygen

Level 44
Verified
Feb 23, 2014
3,316
I've been using Bitwarden since 2016 before they even implemented the autofill functionality. Before that, I was using LastPass for years, which already had said feature, so using Bitwarden without it for a while is what made me accustomed to doing without it.
 
F

ForgottenSeer 98186

I've been using Bitwarden since 2016 before they even implemented the autofill functionality. Before that, I was using LastPass for years, which already had said feature, so using Bitwarden without it for a while is what made me accustomed to doing without it.
What amazes me is that people are not understanding at all. Autofill is only one aspect of it. If a Bitwarden user does not use Autofill, they are still completely susceptible to hidden malicious iFrames when they select the login inside the BItwarden extension and double-click on it to fill the username and password fields for them. When they use that method, Bitwarden also fills the fields in any hidden iFrames.

A user is only protected if they manually copy-pasta both the username and password from within Bitwarden. They should never use autofill whatsoever. Of course this is completely unpopular and unacceptable to a lot of users. Their view is that the primary purpose of a password manager is to fill the login for them. Nope. They are utterly wrong. That is just a convenience feature. Just proves how lazy and careless users are. So dependent upon convenience features that they will sacrifice their own security.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top