You better keep this Bitwarden setting turned off
The Bitwarden password manager, like many passwords managers, supports auto-fill on page load functionality. It is disabled by default, and there is a reason for that. Once enabled, Bitwarden will fill out login information automatically on page load without any user action.
This convenience feature is safe to use on most websites and it speeds up the login process for Bitwarden users. While it offers benefits, especially when it comes to convenience, it is also introducing an issue that could be exploited under certain circumstances.
Update: Bitwarden has created a fix for the issue. You can read about it here.
Some websites use iframes for login forms. An iframe loads another HMTL page within the current document. Some companies and services use iframes for logins. Apple does so on its icloud website, by loading an iframe from its main website.
It is the use of iframes that could be exploited under certain conditions. An attacker would have to inject a malicious iframe into a legitimate website to take advantage of this.
Bleeping Computer discovered that the issue has been reported to Bitwarden in 2018 by Flashpoint.
Threat actors could exploit Bitwarden's autofill feature by planting malicious iframes into trusted websites to steal credentials. The attack has several ifs attached to it: Bitwarden users need to enable auto-login first and foremost in the settings, and then they need to visit a site with an embedded malicious iframe and have a login for the site in question.
Flashpoint researchers discovered that Bitwarden's auto-fill functionality fills out forms in embedded iframes, even if these come from external domains. The company explained back then that attackers could forward login information entered into the embedded iframe to remote servers without further user interaction.
The researchers discovered that Bitwarden's auto-fill feature would also fill out logins on subdomains.
Tip: did you know that you may use Bitwarden on the Go?
Bitwarden auto-fill on page load
The on page load auto-fill feature is available in Bitwarden's browser extensions. It is disabled by default and needs to be turned on by the user explicitly.
This is done by selecting Settings in the Bitwarden extension and then the Auto-Fill option. Checking "Auto-fill on page load" enables the feature in the browser.
Bitwarden displays a warning under the setting: "If a login form is detected, auto-fill when the web page loads. Warning: Compromised or untrusted websites can exploit auto-fill on page load".
The preferences may be edited once the feature is enabled. Bitwarden users have two main options:
- Auto-fill on page load -- uses the auto-fill feature on all sites automatically. An option to disable it on certain sites is provided.
- Do not auto-fill on page load -- disables the auto-fill feature by default. Includes options to enable it for select sites only.
Recommendation
Most Bitwarden users may want to keep the feature turned off. There is a reason why it is disabled, and while attacks are not very likely, it is still a risk that users need to consider. It is still easy enough to sign-in to sites and services using Bitwarden, even if auto-fill is not enabled. Many users may not even be aware that such a feature exists.
Now You: do you use auto-fill functionality in your password manager?
Not a flaw. Feature is turned off by default. This is a so called ‘security’ firm trying to sell their service by spreading FUD.
Is the same true of LastPass’s autofill feature?
If you’re using lastpass you have other issues to worry about.