Bitwarden’s credentials autofill characteristic accommodates a dangerous habits that would permit malicious iframes embedded in trusted web sites to steal folks’s credentials and ship them to an attacker.
The problem was reported by analysts at Flashpoint, who mentioned Bitwarden first realized of the issue in 2018 however selected to permit it to accommodate reputable websites that use iframes.
Although the auto-fill characteristic is disabled on Bitwarden by default, and the circumstances to use it aren’t plentiful, Flashpoint says there are nonetheless web sites that meet the necessities the place motivated risk actors can try to use these flaws.
Bitwarden is a well-liked open-source password administration service with an internet browser extension that shops secrets and techniques like account usernames and passwords in an encrypted vault.
When its customers go to a web site, the extension detects if there is a saved login for that area and presents to fill within the credentials. If the auto-fill choice is enabled, it fills them routinely upon the web page load with out the person having to do something.
While analyzing Bitwarden, Flashpoint’s researchers found that the extension additionally auto-fills kinds outlined in embedded iframes, even these from exterior domains.
“While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction,” explains Flashpoint.
Flashpoint investigated how typically iframes are embedded on login pages of high-traffic web sites and reported that the variety of dangerous instances was very low, considerably reducing the danger.
However, a second problem found by Flashpoint whereas investigating the iframes drawback is that Bitwarden may even auto-fill credentials on subdomains of the bottom area matching a login.
This means an attacker internet hosting a phishing web page beneath a subdomain that matches a saved login for a given base area will seize the credentials upon the sufferer visiting the web page if autofill is enabled.
“Some content hosting providers allow hosting arbitrary content under a subdomain of their official domain, which also serves their login page,” explains Flashpoint in the report.
“As an example, should a company have a login page at https://logins.company.tld and allow users to serve content under https://<clientname>.company.tld, these users are able to steal credentials from the Bitwarden extensions.”
Registering a subdomain that matches the bottom area of a reputable web site shouldn’t be at all times attainable, so the severity of the issue is decreased.
However, some companies permit customers to create subdomains to host content material, similar to free internet hosting companies, and the assault continues to be attainable by way of subdomain hijacking.
Bitwarden highlights that the autofill characteristic is a possible threat and even features a distinguished warning in its documentation, particularly mentioning the probability of compromised websites abusing the autofill characteristic to steal credentials.
This threat was first dropped at gentle in a safety evaluation dated November 2018, so Bitwarden has been conscious of the safety drawback for a while now.
However, since customers must log in to companies utilizing embedded iframes from exterior domains, Bitwarden’s engineers determined to maintain the habits unchanged and add a warning on the software program’s documentation and the extension’s related settings menu.
Responding to Flashpoint’s second report concerning the URI dealing with and the way auto-fill treats subdomains, Bitwarden promised to dam autofill on the reported internet hosting setting in a future replace however don’t plan on altering the iframe performance.
When BleepingComputer contacted Bitwarden concerning the safety threat, they confirmed that they’ve recognized about this problem since 2018 however haven’t modified the performance as login kinds on reputable websites use iframes.
“Bitwarden accepts iframe auto filling because many popular websites use this model, for example icloud.com uses an iframe from apple.com,” Bitwarden advised BleepingComputer in a press release.
“So there are perfectly valid use cases where login forms are in an iframe under a different domain.”
“The feature described for autofill in the blog post is NOT enabled by default in Bitwarden and there is a warning message on that feature for exactly this reason within the product, and within the help documentation. https://bitwarden.com/help/auto-fill-browser/#on-page-load.”