Bitwarden addresses autofill issue that could be exploited to steal logins

Martin Brinkmann
Mar 17, 2023
Security
|
9

Bitwarden plans to roll out an update to its applications soon that addresses an autofill issue that threat actors could exploit to steal login information.

Bitwarden is a popular password management solution that is available for all major desktop and mobile platforms, as well as on the web directly. Like many competing products, Bitwarden supports convenience features to make the life of its users easier.

One of these features is the ability to auto-fill login information on websites to sign the user in automatically. The functionality is not enabled by default, but users may enable it in the application's settings. To Bitwarden's credit, it displays a warning next to the setting that the feature could potentially be exploited by compromised or untrusted websites.

Flashpoint security researchers discovered an issue with auto-fill that could be exploited to steal login information passively. All a user would have to do is visit specifically prepared websites and have auto-fill enabled. Bitwarden's auto-fill solution works on iframes, which are embedded webpages, and also on subdomains. Flashpoint noted that attackers could exploit this to forward login information to remote servers.

Security Tip: find out how to back up your Bitwarden password database.

Bitwarden's fix

Bitwarden created a fix for the issue that is documented on the company's official GitHub website. Bitwarden engineers addressed the issue by changing how autofill on page load works. It will still fill out login data automatically, but only on trusted domains. When users fill out data manually, they do get a warning prompt if the iframe is untrusted.

In other words, Bitwarden's auto-fill functionality has the following characteristics now:

  • Auto-fill on page load is disabled, just like before.
  • When a user enables the feature, Bitwarden will use the feature only for trusted domains and URLs that the user added specifically to the application. Trusted domains include domains that match the URL the user visited in the browser.
  • Bitwarden users who use manual auto-fill, get a warning if they try to fill in an untrusted iframe. The application displays the URL in a popup, giving the user the option to proceed or cancel.

Bitwarden says that this "eliminates the iframe attack vector while still allowing convenient autofill functionality for sites that have trusted iframes".

Bitwarden users who have autofill on page load enabled do not need to do anything to benefit from the new feature. Next week's Bitwarden update includes the updated autofill on page load logic for all users of the password manager.

We have updated the original article to reflect the change.

Closing Words

Bitwarden reacted swiftly to the reports and has found a solution to keep the convenient feature while improving protection for its users.

Summary
Bitwarden addresses autofill issue that could be exploited to steal logins
Article Name
Bitwarden addresses autofill issue that could be exploited to steal logins
Description
Bitwarden plans to roll out an update that addresses an autofill issue that threat actors could exploit to steal login information.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Anonymous said on March 30, 2023 at 2:40 am
    Reply

    The predictable, and predicted, horror list continues to be filled with password managers. Online password databases hacked, password autofilling being exploited by attack sites to steal passwords…

    Basically storing passwords on Bitwarden allowed any web site to steal them. How is that better than, like, not using Bitwarden ? Why would anyone keep using it after that ?

  2. Wolf said on March 24, 2023 at 4:59 am
    Reply

    Mive nailed it

  3. BillA said on March 20, 2023 at 5:32 am
    Reply

    Best practice with any password manager (built into the browser or third party) to disable auto-signin which allows to quickly check the url before clicking on the login. imo

  4. X said on March 19, 2023 at 10:11 pm
    Reply

    Sorry, you also goofed right from the start :-))

    1. Anonymous said on March 23, 2023 at 2:04 pm
      Reply

      I rather use 1Password. It has no such problems.

  5. Tom Hawack said on March 17, 2023 at 6:00 pm
    Reply

    Goof point for Bitwarden for swiftly fixing this autologin issue.

    Bitwarden or another I never sign in automatically, less for security reasons (of which by the way I was unaware) than for practical ones : I may visit a sight for which I have login credentials managed by a password manager and yet not wish to login. Happens often, especially that I quasi systematically logoff implicitly by deleting login cookies upon site exit with the ‘Cookie Autodelete’ extension when applicable.

    It’s really not an unbearable effort to click on an extension’s toolbar button (no idea about Firefox’s native password manager) to fill the login, and above all it requires the user’s attention and therefor his acknowledgement that he IS logged in. I remain excessively aware of automatized processes, be it at the OS level, be it within an application and in particular within a browser.

    1. Tom Hawack said on March 17, 2023 at 6:08 pm
      Reply

      EDIT, sorry : I forgot to acknowledge what concerns users as myself who don’t use the Bitwarden’s autologin feature in what will concern them with Bitwarden’s update :

      “Bitwarden users who use manual auto-fill, get a warning if they try to fill in an untrusted iframe. The application displays the URL in a popup, giving the user the option to proceed or cancel.”

      Pertinent. Iframe, unsecure iframe. Anyway, be it a site or a 3rd-party’s iframe, should we ever register on insecure (non-https) sites, delivering email, especially if the email we provide is not a forwarded one? I never have and never will.

  6. Mive said on March 17, 2023 at 5:30 pm
    Reply

    Bitwarden had to solve a “problem” that doesn’t exist because people were overreacting. LastPass was completely hacked, and users were like “meh, happens”. Logic.

  7. Jason said on March 17, 2023 at 5:09 pm
    Reply

    This seems like a reasonable compromise to me.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.