Bitwarden addresses autofill issue that could be exploited to steal logins
Bitwarden plans to roll out an update to its applications soon that addresses an autofill issue that threat actors could exploit to steal login information.
Bitwarden is a popular password management solution that is available for all major desktop and mobile platforms, as well as on the web directly. Like many competing products, Bitwarden supports convenience features to make the life of its users easier.
One of these features is the ability to auto-fill login information on websites to sign the user in automatically. The functionality is not enabled by default, but users may enable it in the application's settings. To Bitwarden's credit, it displays a warning next to the setting that the feature could potentially be exploited by compromised or untrusted websites.
Flashpoint security researchers discovered an issue with auto-fill that could be exploited to steal login information passively. All a user would have to do is visit specifically prepared websites and have auto-fill enabled. Bitwarden's auto-fill solution works on iframes, which are embedded webpages, and also on subdomains. Flashpoint noted that attackers could exploit this to forward login information to remote servers.
Security Tip: find out how to back up your Bitwarden password database.
Bitwarden's fix
Bitwarden created a fix for the issue that is documented on the company's official GitHub website. Bitwarden engineers addressed the issue by changing how autofill on page load works. It will still fill out login data automatically, but only on trusted domains. When users fill out data manually, they do get a warning prompt if the iframe is untrusted.
In other words, Bitwarden's auto-fill functionality has the following characteristics now:
- Auto-fill on page load is disabled, just like before.
- When a user enables the feature, Bitwarden will use the feature only for trusted domains and URLs that the user added specifically to the application. Trusted domains include domains that match the URL the user visited in the browser.
- Bitwarden users who use manual auto-fill, get a warning if they try to fill in an untrusted iframe. The application displays the URL in a popup, giving the user the option to proceed or cancel.
Bitwarden says that this "eliminates the iframe attack vector while still allowing convenient autofill functionality for sites that have trusted iframes".
Bitwarden users who have autofill on page load enabled do not need to do anything to benefit from the new feature. Next week's Bitwarden update includes the updated autofill on page load logic for all users of the password manager.
We have updated the original article to reflect the change.
Closing Words
Bitwarden reacted swiftly to the reports and has found a solution to keep the convenient feature while improving protection for its users.
The predictable, and predicted, horror list continues to be filled with password managers. Online password databases hacked, password autofilling being exploited by attack sites to steal passwords…
Basically storing passwords on Bitwarden allowed any web site to steal them. How is that better than, like, not using Bitwarden ? Why would anyone keep using it after that ?
Mive nailed it
Best practice with any password manager (built into the browser or third party) to disable auto-signin which allows to quickly check the url before clicking on the login. imo
Sorry, you also goofed right from the start :-))
I rather use 1Password. It has no such problems.
Goof point for Bitwarden for swiftly fixing this autologin issue.
Bitwarden or another I never sign in automatically, less for security reasons (of which by the way I was unaware) than for practical ones : I may visit a sight for which I have login credentials managed by a password manager and yet not wish to login. Happens often, especially that I quasi systematically logoff implicitly by deleting login cookies upon site exit with the ‘Cookie Autodelete’ extension when applicable.
It’s really not an unbearable effort to click on an extension’s toolbar button (no idea about Firefox’s native password manager) to fill the login, and above all it requires the user’s attention and therefor his acknowledgement that he IS logged in. I remain excessively aware of automatized processes, be it at the OS level, be it within an application and in particular within a browser.
EDIT, sorry : I forgot to acknowledge what concerns users as myself who don’t use the Bitwarden’s autologin feature in what will concern them with Bitwarden’s update :
“Bitwarden users who use manual auto-fill, get a warning if they try to fill in an untrusted iframe. The application displays the URL in a popup, giving the user the option to proceed or cancel.”
Pertinent. Iframe, unsecure iframe. Anyway, be it a site or a 3rd-party’s iframe, should we ever register on insecure (non-https) sites, delivering email, especially if the email we provide is not a forwarded one? I never have and never will.
Bitwarden had to solve a “problem” that doesn’t exist because people were overreacting. LastPass was completely hacked, and users were like “meh, happens”. Logic.
This seems like a reasonable compromise to me.