Bitwarden flaw can let hackers steal passwords using iframes

Bitwarden’s credentials autofill feature contains a risky behavior that could allow malicious iframes embedded in trusted websites to steal people’s credentials and send them to an attacker.

The issue was reported by analysts at Flashpoint, who said Bitwarden first learned of the problem in 2018 but chose to allow it to accommodate legitimate sites that use iframes.

Although the auto-fill feature is disabled on Bitwarden by default, and the conditions to exploit it aren’t abundant, Flashpoint says there are still websites that meet the requirements where motivated threat actors can attempt to exploit these flaws.

(Un)conditional auto-fill

Bitwarden is a popular open-source password management service with a web browser extension that stores secrets like account usernames and passwords in an encrypted vault.

When its users visit a website, the extension detects if there’s a stored login for that domain and offers to fill in the credentials. If the auto-fill option is enabled, it fills them automatically upon the page load without the user having to do anything.

While analyzing Bitwarden, Flashpoint’s researchers discovered that the extension also auto-fills forms defined in embedded iframes, even those from external domains.

Filling both the legitimate website’s login form and the external iframe (Flashpoint)

“While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction,” explains Flashpoint.

Flashpoint investigated how often iframes are embedded on login pages of high-traffic websites and reported that the number of risky cases was very low, significantly decreasing the risk.

However, a second issue discovered by Flashpoint while investigating the iframes problem is that Bitwarden will also auto-fill credentials on subdomains of the base domain matching a login.

This means an attacker hosting a phishing page under a subdomain that matches a stored login for a given base domain will capture the credentials upon the victim visiting the page if autofill is enabled.

“Some content hosting providers allow hosting arbitrary content under a subdomain of their official domain, which also serves their login page,” explains Flashpoint in the report.

“As an example, should a company have a login page at https://logins.company.tld and allow users to serve content under https://<clientname>.company.tld, these users are able to steal credentials from the Bitwarden extensions.”

Registering a subdomain that matches the base domain of a legitimate website is not always possible, so the severity of the problem is reduced.

However, some services allow users to create subdomains to host content, such as free hosting services, and the attack is still possible through subdomain hijacking.

Bitwarden’s response

Bitwarden highlights that the autofill feature is a potential risk and even includes a prominent warning in its documentation, specifically mentioning the likelihood of compromised sites abusing the autofill feature to steal credentials.

Warning about auto-fill dangers in Bitwarden documentation (BleepingComputer)

This risk was first brought to light in a security assessment dated November 2018, so Bitwarden has been aware of the security problem for some time now.

However, since users need to log in to services using embedded iframes from external domains, Bitwarden’s engineers decided to keep the behavior unchanged and add a warning on the software’s documentation and the extension’s relevant settings menu.

Warning on the extension’s auto-fill setting
(BleepingComputer)

Responding to Flashpoint’s second report about the URI handling and how auto-fill treats subdomains, Bitwarden promised to block autofill on the reported hosting environment in a future update but do not plan on changing the iframe functionality.

When BleepingComputer contacted Bitwarden about the security risk, they confirmed that they have known about this issue since 2018 but have not changed the functionality as login forms on legitimate sites use iframes.

“Bitwarden accepts iframe auto filling because many popular websites use this model, for example icloud.com uses an iframe from apple.com,” Bitwarden told BleepingComputer in a statement.

“So there are perfectly valid use cases where login forms are in an iframe under a different domain.”

“The feature described for autofill in the blog post is NOT enabled by default in Bitwarden and there is a warning message on that feature for exactly this reason within the product, and within the help documentation. https://bitwarden.com/help/auto-fill-browser/#on-page-load.”

Comments

nauip – 2 days ago
Why is this a “flaw” with Bitwarden?

Auto-fill wasn’t on by default the many times I’ve set it up (for myself and others). Is it a flaw with seatbelts that if you choose not to use them you can go through the windshield?
realmotang – 1 day ago
Guess I will need to turn off auto-fill. *sigh*
DrkKnight – 1 day ago
I have never used auto-fill , Not just Bitwarden but I suspect would be a flaw with any password manager.
krox – 1 day ago
Not a flaw. A risky feature that they warn you with big scary letters before you’re able to turn it on.
billybob5432 – 1 day ago
Not a flaw, and it’s off by default. The “security” website you found trying to turn this into an issue is trying to sell their service. You’d be better off just deleting this article. It serves no purpose other than to spread FUD generated by someone who doesn’t have a basic grasp of how things work.
Hammerfest – 1 day ago
Yep, not really a flaw, and I knew the risk when I turned it on.

Then again, I use BitWarden so I can have a different email/username and random password for every single site, so GLWT getting anything good off my one site iframe.