Bitwarden Autofill Feature Can Expose Passwords to Malicious Attackers
Bitwarden’s autofill feature has a risky behavior
Bitwarden, an open-source password management service, has come under scrutiny for a risky behavior in its autofill feature that could potentially allow malicious actors to steal users’ login credentials. Flashpoint analysts discovered the issue and reported that Bitwarden was aware of the problem since 2018 but chose to maintain the functionality to accommodate legitimate sites that use embedded iframes.
Although the auto-fill feature is not enabled by default, and the conditions to exploit it are not widespread, motivated threat actors can still attempt to exploit these flaws. Bitwarden’s web browser extension stores account usernames and passwords in an encrypted vault and offers to fill in the credentials automatically upon page load if the auto-fill option is enabled. However, Flashpoint discovered that the extension also auto-fills forms defined in embedded iframes, even those from external domains.
Filling both the legitimate website’s login form and the external iframe (Flashpoint)
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
Bitwarden Knew of Risky Autofill Behavior Since 2018 But Chose Not to Fix It
Flashpoint explains that the embedded iframe cannot access any content in the parent page, but it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction. Flashpoint’s investigation revealed that the number of risky cases was relatively low, but they discovered a second issue while investigating the iframes problem. Bitwarden will auto-fill credentials on subdomains of the base domain matching a login, which means that an attacker hosting a phishing page under a subdomain that matches a stored login for a given base domain will capture the credentials upon the victim visiting the page if autofill is enabled.
Bitwarden acknowledges that the autofill feature is a potential risk and includes a warning in its documentation specifically mentioning the likelihood of compromised sites abusing the feature to steal credentials. Bitwarden has been aware of the security problem since November 2018, but the engineers decided to keep the behavior unchanged and add a warning on the software’s documentation and the extension’s relevant settings menu. Responding to Flashpoint’s second report, Bitwarden promised to block autofill on the reported hosting environment in a future update but did not plan on changing the iframe functionality.
Trending: Offensive Security Tool: SecretOpt1c
Bitwarden Acknowledges Autofill Risk But Refuses to Change Functionality
When BleepingComputer contacted Bitwarden about the security risk, they confirmed that they have known about the issue since 2018 but have not changed the functionality as login forms on legitimate sites use iframes. Bitwarden emphasized that the feature described for autofill in the blog post is not enabled by default and that there is a warning message on that feature for exactly this reason within the product and help documentation. Nonetheless, Bitwarden’s autofill feature poses a potential risk to users, and it’s up to individuals to weigh the convenience of this feature against its security risks.
Warning about auto-fill dangers in Bitwarden documentation (BleepingComputer)
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
