Bitwarden, a popular open-source password management service, has a potentially dangerous security flaw that could allow threat actors to steal login credentials through malicious iframes. While Bitwarden has been aware of the issue since 2018, it has yet to be resolved due to the need to accommodate legitimate sites that use iframes.
Bitwarden’s web browser extension stores login details in an encrypted vault and automatically fills them in upon visiting a site with stored login information. Flashpoint’s researchers discovered that the extension also auto-fills forms in embedded iframes, even those from external domains.
While the iframe cannot access content from the parent page, it can capture login credentials entered on the form and send them to a remote server without the user’s knowledge.
Filling Both the Legitimate Website’s Login Form and the External Iframe
Flashpoint reports that the number of high-risk cases where iframes are embedded on login pages of high-traffic websites is low, reducing the likelihood of exploitation.
However, Bitwarden’s auto-fill feature also auto-fills credentials on subdomains of the base domain that match a login, meaning that an attacker could capture the credentials upon the victim visiting a page with enabled autofill.
Bitwarden acknowledges the risk of autofill and includes a warning in its documentation about the potential for compromised sites to exploit the feature.
Despite being aware of the security problem since 2018, Bitwarden’s engineers have decided to keep the behavior unchanged and add a warning to the extension’s relevant settings menu.
While Bitwarden’s auto-fill feature is not enabled by default, users should be aware of the risk and only enable auto-fill on trusted websites.
Bitwarden has promised to block autofill on the reported hosting environment in a future update, but the iframe functionality will remain unchanged.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.