Bitwarden addresses autofill issue that could be exploited to steal logins
Bitwarden plans to roll out an update to its applications soon that addresses an autofill issue that threat actors could exploit to steal login information.
Bitwarden is a popular password management solution that is available for all major desktop and mobile platforms, as well as on the web directly. Like many competing products, Bitwarden supports convenience features to make the life of its users easier.
One of these features is the ability to auto-fill login information on websites to sign the user in automatically. The functionality is not enabled by default, but users may enable it in the application's settings. To Bitwarden's credit, it displays a warning next to the setting that the feature could potentially be exploited by compromised or untrusted websites.
Flashpoint security researchers discovered an issue with auto-fill that could be exploited to steal login information passively. All a user would have to do is visit specifically prepared websites and have auto-fill enabled. Bitwarden's auto-fill solution works on iframes, which are embedded webpages, and also on subdomains. Flashpoint noted that attackers could exploit this to forward login information to remote servers.
Security Tip: find out how to back up your Bitwarden password database.
Bitwarden created a fix for the issue that is documented on the company's official GitHub website. Bitwarden engineers addressed the issue by changing how autofill on page load works. It will still fill out login data automatically, but only on trusted domains. When users fill out data manually, they do get a warning prompt if the iframe is untrusted.
In other words, Bitwarden's auto-fill functionality has the following characteristics now:
- Auto-fill on page load is disabled, just like before.
- When a user enables the feature, Bitwarden will use the feature only for trusted domains and URLs that the user added specifically to the application. Trusted domains include domains that match the URL the user visited in the browser.
- Bitwarden users who use manual auto-fill, get a warning if they try to fill in an untrusted iframe. The application displays the URL in a popup, giving the user the option to proceed or cancel.
Bitwarden says that this "eliminates the iframe attack vector while still allowing convenient autofill functionality for sites that have trusted iframes".
Bitwarden users who have autofill on page load enabled do not need to do anything to benefit from the new feature. Next week's Bitwarden update includes the updated autofill on page load logic for all users of the password manager.
We have updated the original article to reflect the change.
Bitwarden reacted swiftly to the reports and has found a solution to keep the convenient feature while improving protection for its users.Advertisement