PSA: Hackers can steal your username and password for a website using an embedded iframe. It’s a weakness for all password managers, and most have addressed the flaw in various ways, including warnings when users are on a login page with an iframe or don’t trust subdomains. Bitwarden is the only exception, having decided in 2018 that the threat was not significant enough to address.
On its auto-fill support pages, Bitwarden advises users to disable their browser’s password auto-fill features, as they interfere with the password management solution. It also notes that it’s a good idea because “experts generally agree that built-in [browser] password managers are more vulnerable than dedicated solutions like Bitwarden,” which is generally true.
Unfortunately, its password completion may not be much better than your browser. Security researchers at Flashpoint discovered that Bitwarden’s autocomplete extension safely handles websites with embedded iframes. Understanding this vulnerability requires a basic understanding of iframes.
Website developers use the inline frame element, or iframe, to embed part of another web page on their website. For example, TechSpot uses iframes to embed YouTube videos in its articles. It can also be used to post web forms. In general, iframes are safe to use as long as the embedded material from an external site is not compromised, and this is where managers have a problem.
Password extensions autofill credentials by any web page users have saved their credentials by design. They can even pre-fill the login form without user interaction. In Bitwarden’s thesis, a setting called “Auto-fill on page load”. However, the extension will perform this function in an iframe without the Same Origin Policy check. So if a page has a malicious iframe from another domain, the admin will unknowingly hand over your credentials to be sent to the hacker’s server.
Proof of concept showing that Bitwarden autocompletes legal and “malicious” iframe fields at the same time.
Most password managers implement checks to at least alert users to potential threats. However, Bitwarden does not prevent or warn that another domain’s iframe is potentially stealing credentials. It assumes that all iframes on the login page are secure. It says as much in the 2018 security report, but more on that later.
Of course, this can only happen if a trusted site is already compromised, right? According to Flashpoint, that’s not necessarily true.
Obviously, if hackers have gained enough ground to embed an iframe on a legitimate site, users have bigger problems than this vulnerability. In that scenario, there’s little any password management extension can do. However, some legitimate websites use other domain forms by enclosing them with an iframe. If hackers can compromise a secondary source, they have a proxy to steal information from a trusted website.
Flashpoint acknowledges that this is a rare scenario and confirms that it has tested on the spot several websites using iframes on their login pages. However, there is another problem. Bitwarden’s default URI (Uniform Resource Identifier) match is set to “Base Domain”. So the extension will provide password autocomplete as long as the top and second level domains match.
The problem is that several hosting services allow users to host “arbitrary content” under a subdomain, which makes it relatively easy to spoof the login page.
“For example, should a company have a login page at https://logins.company.tld and allow users to serve content under https://?[clientname].company.tld, these users can steal credentials from Bitwarden extensions,” Flashpoint said. “During our research, we confirmed that several major sites provide this exact environment. If a user with the Bitwarden browser extension visits a specially crafted page hosted on these web services, an attacker can steal the credentials stored for the respective domain.”
Strangely, when Flashpoint contacted Bitwarden about this weakness in coordinating the discovery, the company stated that it has known about it since 2018.
“Because Bitwarden does not check the URL of every iframe, it is possible that a website may have a malicious iframe embedded in it, which Bitwarden will automatically fill in with the credentials of a ‘top-level’ website,” the company’s 2018 Security Assessment said. in the report. “Unfortunately, there are legitimate cases where sites will include iframe login forms from a separate domain than their ‘parent’ site domain. No action is planned at this time.”
In other words, Bitwarden is aware of the problem, but considers the risk acceptable enough to do nothing about it, even if it was as simple as an extension warning when there is an iframe on the page. Flashpoint found this inexplicable, as all of Bitwarden’s competitors have some mitigation for this exploit.
The researchers created a proof of concept using the flaw as an attack vector and a “working exploit” that they implemented in a private “hosted environment”. They hope Bitwarden developers will change their minds on the matter, as no one had created such exploits in 2018, when the company first assessed the vulnerability. Until Bitwarden addresses the vulnerability, there are several things you can do to mitigate it without changing password managers.
First, disable the extension’s “Autocomplete on page load” setting. You will have to manually run the autocomplete function all the time. However, it gives you some breathing room to test the login page without handing your credentials directly to the iframe. That’s actually good advice for any password manager extension that includes preemptive autofill.
Second, use that pause to make sure you’re on a trusted domain and that the page is what it seems. Look at the URL to make sure you’re on the right domain or subdomain and that nothing suspicious appears. For example, something like “login.wellsfargo.com” is probably legitimate, while “credx257.wellsfargo.com” probably isn’t.
These steps still won’t protect you from sites that use compromised external web forms, but Flashpoint notes that these scenarios are rare. Not a reason to ditch a password manager, even Bitwarden. Managers are handy to help you keep your credentials straight. It’s always better to have tons of strong hard-to-remember passwords that are unique to each site than to reuse weak ones.