One of the most popular free password managers has a serious security flaw that could allow hackers to steal your credentials to steal your identity.
The autofill feature in the open-source password manager Bitwarden is at the root of the problem, allowing bad inline frames (iframes) contained in trusted websites to intercept login credentials.
Security analysis company Flash-point (opens in a new tab) discovered the vulnerability, but claims Bitwarden knew about it back in 2018, but chose to ignore it in favor of allowing it to continue to be used on popular iframe websites.
Iframe hack
Iframes are HTML elements used to embed another web page into the current one. They are commonly used for advertising, web analytics, videos and interactive content.
Flashpoint discovered that when using the autofill feature – which is disabled by default in Bitwarden – on an iframed website, the credentials are autofilled on the parent page and then also on the forms on the iframed page. And if it’s a malicious iframe controlled by hackers, they can steal your credentials. Even if the iframe is from an external domain, it will.
“While the embedded iframe doesn’t have access to any content on the parent page, it can wait for input in the login form and pass the entered credentials to a remote server without further user interaction,” Flashpoint said.
However, Flashpoint found that the risk of such an attack was low because many legitimate and popular sites do not include iframes on their login pages.
More troubling, however, was that Bitwarden’s autofill feature would even work on subdomains of primary domains for which you have a saved username and password.
These subdomains can be used in phishing scams where cybercriminals create fake pages using the subdomains of a legitimate website to steal your data. Flashpoint says this is possible because “some hosting providers allow you to host any content under a subdomain of their official domain, which also hosts their login page.”
Free hosting sites allow this kind of subdomain creation, but there are many legal domains that do not allow subdomains to be registered on their basis. However, in this case, the subdomain can still be hijacked by a hacker.
Bitwarden gives you a warning when you enable the autofill feature, stating that “hacked or untrusted websites can use this to steal your credentials.”
Despite the risk of using iframes announced (opens in a new tab) in November 2018, Bitwarden decided to keep the autofill feature on login pages with iframes, as many popular websites use it, “for example, icloud.com uses an iframe from apple.com,” said Bitwarden Beeping Computer (opens in a new tab).
However, when it comes to autofilling forms on subdomains, Bitwarden said it will release an update in the future to prevent autofilling in hosting environments that allow it.