Bitwarden autofill & iFrame (minor) issue

Bleeping Computer is reporting on a weakness in BitWarden that could allow it to be fooled by iFrames in trusted websites hijacking usernames and passwords, if autofill is enabled.

Allegedly, Bitwarden has known about the issue since 2018 (it is also mentioned in their documentation), but has deemed it too useful for legitimate websites that do use iFrames to disable it. The problem is, if someone slips an iFrame into a site that is trusted, they can hijack the autofill data.

Although the auto-fill feature is disabled on Bitwarden by default, and the conditions to exploit it aren’t abundant, Flashpoint says there are still websites that meet the requirements where motivated threat actors can attempt to exploit these flaws.

The problem seems to be that autofill automatically fills in username and passwords on known sites, if enabled. Flashpoint discovered that if there is an iFrame from a bad actor embedded into the website with the same username and password fields, Bitwarden will automatically fill in the username and password both on the main form and in the iFrame’s form. There are sites that are designed this way, although they are, thankfully, relatively rare. But during the investigation, Flashpoint found out that a malicious form on a sub-domained iFrame could capture the credentials.

The “saving grace” for Bitwarden is that it will only fill in the iFrame information, if it belongs to a sub-domain of the original TLD. E.g. if the login information is for “login.mycorp.net”, Bitwarden will also automatically fill in the details on “badboy.mycorp.net”, but it wouldn’t fill them in for “login.badactor.net. This makes it much harder to exploit, but not impossible - some hosting services allow users to register sub-domains.

This risk was first brought to light in a security assessment dated November 2018, so Bitwarden has been aware of the security problem for some time now.

However, since users need to log in to services using embedded iframes from external domains, Bitwarden’s engineers decided to keep the behavior unchanged and add a warning on the software’s documentation and the extension’s relevant settings menu.

This is a problem, but it isn’t a massive problem. The attacker has to have already managed to register/take over a valid sub-domain of the original domain in order for the attack to work.

“Some content hosting providers allow hosting arbitrary content under a subdomain of their official domain, which also serves their login page,” explains Flashpoint in the report.

“As an example, should a company have a login page at https://logins.company.tld and allow users to serve content under https://clientname.company.tld, these users are able to steal credentials from the Bitwarden extensions.”

The issue is already well documented and Bitwarden does display a prominent warning, if users try and turn on the feature. If the feature is disabled and you just let Bitwarden enter the credentials in the visible form field, when you are actually logging in, the iFrame cannot grab the credentials.

This looks like a minor issue and the default configuration of Bitwarden would block this behaviour. If you have autofill enabled, you might want to think twice and disable it. But this is in no way an issue where you need to abandon Bitwarden or shy away from password managers in general.

Bitwarden have said they will block the reported bad sub-domains in an upcoming release, but they will not disable the iFrame feature at this time.

So, if autofill is not essential to your workflow, turn it off and use the extra click to manually get Bitwarden to fill in the username and password in the correct fields.

1 Like

Somewhat dissapointed that this flaw has not been fixed in 4 years. If it is so minor, why wouldnt they take care of it?

Because it is used by genuine sites, but can be abused. They decided to leave the feature in the product and warn users instead- it has been documented as a possible weakness since 2018 and there is a warning in the tool itself, if you try and enable it.

2 Likes

This is one of the things Tavis Ormandy of Google was complaining about with all browser extension auto-fill in password managers. I don’t know if it affects other PMs but I bet it does.

Ormandy’s recommendation was to use the browser’s native password manager. Mine is to turn off auto-fill or better yet – if this flaw worries you — not use the browser extension at all. Browser extensions are fraught with peril. Better to cut and paste from the password manager’s app.

3 Likes

Ghacks website reports that Bitwarden is rolling out a fix for this issue.

" Bitwarden created a fix for the issue that is documented on the company’s official GitHub website. Bitwarden engineers addressed the issue by changing how autofill on page load works. It will still fill out login data automatically, but only on trusted domains. When users fill out data manually, they do get a warning prompt if the iframe is untrusted."

Yes, this was reported in the original article I linked to. They wanted to allow legitimate sites (white listing) and sites the user had used before, whilst blocking all others.

1 Like