In addition, Bitwarden has known about this risk since 2018 but decided to allow it to accommodate legitimate sites that use iframes. Moreover, Bitwarden emphasizes that the auto-fill feature is a potential risk that is disabled by default and even includes a security warning in its documentation. However, some services allow users to create subdomains to host content, such as free hosting services, and an attack is still possible via subdomain hijacking. But, since it is not always possible to register a sub-domain that corresponds to the primary domain of an authorized website, the severity of the issue is lessened. So, it can be abused by attackers' hosted phishing page under a sub-domain that matches a stored login for a given base domain and will capture the credentials upon the victim visiting the page if the auto-fill feature is enabled. However, it has been observed that iframes embedded on login pages of high-traffic websites were very low, significantly decreasing the risk.įurthermore, Flashpoint discovered a second issue, that Bitwarden also auto-fill credentials on sub-domains of the base domain matching a login. While the embedded iframe does not have access to any content on the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction.
The extension detects if there's a stored login for the domain visited and offers to fill in the credentials, and if the auto-fill option is enabled, then it fills them automatically upon the page load without the user's action.Īccording to the Flashpoint report, the Bitwarden browser extension also auto-fills forms defined in the embedded iframes and even from external domains. Bitwarden is a popular open-source password management platform with a web browser extension that stores secrets like account usernames and passwords in an encrypted vault. Cybersecurity company, Flashpoint, reported about tricky behavior of Bitwarden's credentials autofill feature that allows malicious iframes embedded in trusted websites to steal people's credentials.
0 kommentar(er)
