Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Bitwarden addresses autofill issue that could be exploited to steal logins
Quote:[Image: bitwarden-2.jpg]

Bitwarden plans to roll out an update to its applications soon that addresses an autofill issue that threat actors could exploit to steal login information.

Bitwarden is a popular password management solution that is available for all major desktop and mobile platforms, as well as on the web directly. Like many competing products, Bitwarden supports convenience features to make the life of its users easier.

One of these features is the ability to auto-fill login information on websites to sign the user in automatically. The functionality is not enabled by default, but users may enable it in the application's settings. To Bitwarden's credit, it displays a warning next to the setting that the feature could potentially be exploited by compromised or untrusted websites.

Flashpoint security researchers discovered an issue with auto-fill that could be exploited to steal login information passively. All a user would have to do is visit specifically prepared websites and have auto-fill enabled. Bitwarden's auto-fill solution works on iframes, which are embedded webpages, and also on subdomains. Flashpoint noted that attackers could exploit this to forward login information to remote servers.

Security Tip: find out how to back up your Bitwarden password database.

Bitwarden's fix

Bitwarden created a fix for the issue that is documented on the company's official GitHub website. Bitwarden engineers addressed the issue by changing how autofill on page load works. It will still fill out login data automatically, but only on trusted domains. When users fill out data manually, they do get a warning prompt if the iframe is untrusted.

In other words, Bitwarden's auto-fill functionality has the following characteristics now:
  • Auto-fill on page load is disabled, just like before.
  • When a user enables the feature, Bitwarden will use the feature only for trusted domains and URLs that the user added specifically to the application. Trusted domains include domains that match the URL the user visited in the browser.
  • Bitwarden users who use manual auto-fill, get a warning if they try to fill in an untrusted iframe. The application displays the URL in a popup, giving the user the option to proceed or cancel.
Bitwarden says that this "eliminates the iframe attack vector while still allowing convenient autofill functionality for sites that have trusted iframes".

Bitwarden users who have autofill on page load enabled do not need to do anything to benefit from the new feature. Next week's Bitwarden update includes the updated autofill on page load logic for all users of the password manager.

We have updated the original article to reflect the change.

Closing Words

Bitwarden reacted swiftly to the reports and has found a solution to keep the convenient feature while improving protection for its users.
Continue Reading
Bitwarden's unlock with PIN feature is convenient, but also a security risk

Forum Jump:

Users browsing this thread: 1 Guest(s)
You have to register before you can post on our site.



Recent Posts
Google Uncovers more Details on Spanish-...
It looks like G...harlan4096 — 08:51
How to send large files in Gmail: Easies...
Unfortunately, ...harlan4096 — 08:41
Norton Security
Norton Security 22...harlan4096 — 08:16
HWiNFO 7.42
Latest v7.42 (Rele...harlan4096 — 08:13
AMD FidelityFX Super Resolution 2.2 “Fea...
3DMark now offers ...harlan4096 — 08:09

Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

Online Staff
There are no staff members currently online.