One of the most popular free password managers, has a major security flaw that could allow hackers to steal your credentials in an identity theft attack.
The autofill feature in the Bitwarden open-source password manager is the root of the problem, allowing bad inline frames (iframes) that are contained within trusted websites to capture your login details.
Security analysis firm Flashpoint (opens in new tab) discovered the flaw, but claims Bitwarden knew about it as far back as 2018, but chose to ignore it in favor of allowing its continued use on popular websites with iframes.
Iframe hack
Iframes are HTML elements that are used to embed another webpage within the current one. They are commonly used for advertisements, web analytics, videos and interactive content.
Flashpoint discovered that when using the autofill feature – which is turned off by default in Bitwarden – on a webpage with an iframe, the credentials are automatically filled out on the parent page and then also on forms within the iframe page. And if this is a malicious iframe controlled by hackers, then they can steal your credentials. Even if the iframe is from an external domain, this will still happen.
“While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction,” Flashpoint said.
However, Flashpoint found that the risk of such an attack was low as many legitimate and popular websites do not contain iframes on their login pages.
More of a concern, though, was that Bitwarden’s autofill feature would even operate on subdomains of base domains for which you have a saved username and password for.
These subdomains can be used in phishing scams, where threat actors create fake pages using subdomains of legitimate website to steal your details. Flashpoint says this is possible as “some content hosting providers allow hosting arbitrary content under a subdomain of their official domain, which also serves their login page”.
Free hosting sites allow for this kind of subdomain creation, but there are a lot of legitimate domains do not allow the registering of subdomains based on them. However, in this case, a subdomain could still be hijacked by a hacker.
Bitwarden does issue a warning when you go to turn on its autofill feature, stating that “compromised or untrusted websites could take advantage of this to steal credentials.”
Despite the risk of iframe exploitation being announced (opens in new tab) in November 2018, Bitwarden decided to keep the autofill feature on login pages with iframes, since many popular websites do use them, “for example icloud.com uses an iframe from apple.com”, Bitwarden told BleepingComputer (opens in new tab).
However, when it comes to autofilling forms on subdomains, Bitwarden said it will be issuing an update in future to prevent autofill on hosting environments that allow this.