Bleeping Computer is reporting on a weakness in BitWarden that could allow it to be fooled by iFrames in trusted websites hijacking usernames and passwords, if autofill is enabled.
Allegedly, Bitwarden has known about the issue since 2018 (it is also mentioned in their documentation), but has deemed it too useful for legitimate websites that do use iFrames to disable it. The problem is, if someone slips an iFrame into a site that is trusted, they can hijack the autofill data.
Although the auto-fill feature is disabled on Bitwarden by default, and the conditions to exploit it aren’t abundant, Flashpoint says there are still websites that meet the requirements where motivated threat actors can attempt to exploit these flaws.
The problem seems to be that autofill automatically fills in username and passwords on known sites, if enabled. Flashpoint discovered that if there is an iFrame from a bad actor embedded into the website with the same username and password fields, Bitwarden will automatically fill in the username and password both on the main form and in the iFrame’s form. There are sites that are designed this way, although they are, thankfully, relatively rare. But during the investigation, Flashpoint found out that a malicious form on a sub-domained iFrame could capture the credentials.
The “saving grace” for Bitwarden is that it will only fill in the iFrame information, if it belongs to a sub-domain of the original TLD. E.g. if the login information is for “login.mycorp.net”, Bitwarden will also automatically fill in the details on “badboy.mycorp.net”, but it wouldn’t fill them in for “login.badactor.net”. This makes it much harder to exploit, but not impossible - some hosting services allow users to register sub-domains.
This risk was first brought to light in a security assessment dated November 2018, so Bitwarden has been aware of the security problem for some time now.
However, since users need to log in to services using embedded iframes from external domains, Bitwarden’s engineers decided to keep the behavior unchanged and add a warning on the software’s documentation and the extension’s relevant settings menu.
This is a problem, but it isn’t a massive problem. The attacker has to have already managed to register/take over a valid sub-domain of the original domain in order for the attack to work.
“Some content hosting providers allow hosting arbitrary content under a subdomain of their official domain, which also serves their login page,” explains Flashpoint in the report.
“As an example, should a company have a login page at https://logins.company.tld and allow users to serve content under https://clientname.company.tld, these users are able to steal credentials from the Bitwarden extensions.”
The issue is already well documented and Bitwarden does display a prominent warning, if users try and turn on the feature. If the feature is disabled and you just let Bitwarden enter the credentials in the visible form field, when you are actually logging in, the iFrame cannot grab the credentials.
This looks like a minor issue and the default configuration of Bitwarden would block this behaviour. If you have autofill enabled, you might want to think twice and disable it. But this is in no way an issue where you need to abandon Bitwarden or shy away from password managers in general.
Bitwarden have said they will block the reported bad sub-domains in an upcoming release, but they will not disable the iFrame feature at this time.
So, if autofill is not essential to your workflow, turn it off and use the extra click to manually get Bitwarden to fill in the username and password in the correct fields.