Bitwarden flaw can let hackers steal passwords using iframes


Bitwarden’s credentials autofill feature contains a risky behavior that could allow malicious iframes embedded in trusted websites to steal people’s credentials and send them to an attacker.

The issue was reported by analysts at Flashpoint, who said Bitwarden first learned of the problem in 2018 but chose to allow it to accommodate legitimate sites that use iframes.

Although the auto-fill feature is disabled on Bitwarden by default, and the conditions to exploit it aren’t abundant, Flashpoint says there are still websites that meet the requirements where motivated threat actors can attempt to exploit these flaws.

(Un)conditional auto-fill

Bitwarden is a popular open-source password management service with a web browser extension that stores secrets like account usernames and passwords in an encrypted vault.

When its users visit a website, the extension detects if there’s a stored login for that domain and offers to fill in the credentials. If the auto-fill option is enabled, it fills them automatically upon the page load without the user having to do anything.

While analyzing Bitwarden, Flashpoint’s researchers discovered that the extension also auto-fills forms defined in embedded iframes, even those from external domains.

Filling both the legitimate website's login form and the external iframeFilling both the legitimate website’s login form and the external iframe (Flashpoint)

“While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction,” explains Flashpoint.

Flashpoint investigated how often iframes are embedded on login pages of high-traffic websites and reported that the number of risky cases was very low, significantly decreasing the risk.

However, a second issue discovered by Flashpoint while investigating the iframes problem is that Bitwarden will also auto-fill credentials on subdomains of the base domain matching a login.

This means an attacker hosting a phishing page under a subdomain that matches a stored login for a given base domain will capture the credentials upon the victim visiting the page if autofill is enabled.

“Some content hosting providers allow hosting arbitrary content under a subdomain of their official domain, which also serves their login page,” explains Flashpoint in the report.

“As an example, should a company have a login page at and allow users to serve content under https://<clientname>.company.tld, these users are able to steal credentials from the Bitwarden extensions.”

Registering a subdomain that matches the base domain of a legitimate website is not always possible, so the severity of the problem is reduced.

However, some services allow users to create subdomains to host content, such as free hosting services, and the attack is still possible through subdomain hijacking.

Bitwarden’s response

Bitwarden highlights that the autofill feature is a potential risk and even includes a prominent warning in its documentation, specifically mentioning the likelihood of compromised sites abusing the autofill feature to steal credentials.

Warning about auto-fill dangers in Bitwarden documentationWarning about auto-fill dangers in Bitwarden documentation (BleepingComputer)

This risk was first brought to light in a security assessment dated November 2018, so Bitwarden has been aware of the security problem for some time now.

However, since users need to log in to services using embedded iframes from external domains, Bitwarden’s engineers decided to keep the behavior unchanged and add a warning on the software’s documentation and the extension’s relevant settings menu.

Warning on the extension's auto-fill settingWarning on the extension’s auto-fill setting

Responding to Flashpoint’s second report about the URI handling and how auto-fill treats subdomains, Bitwarden promised to block autofill on the reported hosting environment in a future update but do not plan on changing the iframe functionality.

When BleepingComputer contacted Bitwarden about the security risk, they confirmed that they have known about this issue since 2018 but have not changed the functionality as login forms on legitimate sites use iframes.

“Bitwarden accepts iframe auto filling because many popular websites use this model, for example uses an iframe from,” Bitwarden told BleepingComputer in a statement.

“So there are perfectly valid use cases where login forms are in an iframe under a different domain.”

“The feature described for autofill in the blog post is NOT enabled by default in Bitwarden and there is a warning message on that feature for exactly this reason within the product, and within the help documentation.”


  • nauip Photo nauip – 2 days ago

    Why is this a “flaw” with Bitwarden?

    Auto-fill wasn’t on by default the many times I’ve set it up (for myself and others). Is it a flaw with seatbelts that if you choose not to use them you can go through the windshield?

  • realmotang Photo realmotang – 1 day ago

    Guess I will need to turn off auto-fill. *sigh*

  • DrkKnight Photo DrkKnight – 1 day ago

    I have never used auto-fill , Not just Bitwarden but I suspect would be a flaw with any password manager.

  • krox Photo krox – 1 day ago

    Not a flaw. A risky feature that they warn you with big scary letters before you’re able to turn it on.

  • billybob5432 Photo billybob5432 – 1 day ago

    Not a flaw, and it’s off by default. The “security” website you found trying to turn this into an issue is trying to sell their service. You’d be better off just deleting this article. It serves no purpose other than to spread FUD generated by someone who doesn’t have a basic grasp of how things work.

  • Hammerfest Photo Hammerfest – 1 day ago

    Yep, not really a flaw, and I knew the risk when I turned it on.

    Then again, I use BitWarden so I can have a different email/username and random password for every single site, so GLWT getting anything good off my one site iframe.

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.24 4M+ Downloads

  • AdwCleaner Logo


    Version: 56M+ Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.1 2M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 22,364 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 53,117 Downloads


Related posts

Thousands lured with blue badges in Instagram phishing attack

Sarah Henriquez

Emotet botnet starts blasting malware again after 4 month break

Sarah Henriquez

North Korean hackers stole research data in two-month-long breach

Sarah Henriquez

Leave a Comment