“It should also be noted that a brief evaluation of other password manager extensions shows that none of those will auto-fill iframes from different origins or show warnings for iframes from different origins. Only one attack vector has been addressed instead of the root cause of the issue, the researchers said. There is also a warning message that appears on the password manager which reads “>Warning: This feature is disabled by default because, while generally safe, compromised or untrusted websites could take advantage of this to steal credentials”.įlashpoint said that Bitwarden plans to exclude the reported hosting environment from its auto-fill function, but doesn’t plan to make any changes to the way iframes work. The company added that the autofill feature described by Flashpoint is not enabled by default. “So there are perfectly valid use cases where login forms are in an iframe under a different domain.” “Bitwarden accepts iframe auto-filling because many popular websites use this model, for example uses an iframe from ,” a spokesperson said. Flashpoint researchers said that this means the issue has been documented and public for more than four years. Upon contacting Bitwarden, Flashpoint revealed, to its surprise, that the company knew about the issue as far back as November 2018.īitwarden published a Security Assessment Report in which the issue, named BWN-01-001 by the password manager, was detailed. “If a user with a Bitwarden browser extension visits a specially crafted page hosted in these web services, an attacker is able to steal the credentials stored for the respective domain.” “In our research, we confirmed that a couple of major websites provide this exact environment,” said Flashpoint. The second is if an attacker hosts a web page under a subdomain.
The first is if an uncompromised website embeds an external iframe, which an attacker controls, and enables the ‘Auto-fill on page load’ option.
However, it also found that default URI matching, which is how a browser extension knows when to auto-fill logins, combined with unsecured auto-fill behaviour, can lead to two possible attack vectors.
0 kommentar(er)
