Four-year-old iframe flaw allows hackers to steal Bitwarden passwords
The password manager has known about the issue since 2018, publicising it in a report in 2018
Bitwarden’s autofill feature contains a flaw which could allow websites to steal users’ passwords.
The password manager browser extension handles embedded iframes on a web page in an atypical manner, according to new research from cyber security firm Flashpoint.
Researchers found that Bitwarden’s browser extension auto-fills forms that are in an embedded iframe even if they are from different domains.
Inline frames - 'iframes' - are a common component of webpages and part of the HTML markup language. They allow web pages to include content from external sources.
various different types of content can be stored in an iframe, including simple interfaces with text fields to input login credentials.
“While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction,” stated Flashpoint.
The researchers explained that they are aware of regular, uncompromised, websites that use embedded external iframes for a number of reasons, including advertising.
“This means that an attacker does not necessarily need to compromise the website itself - they just need to be in control of the iframe content,” they explained.
Despite this, Flashpoint found that there weren’t many websites that embedded an iframe on the login page, which lowers the risk.
However, it also found that default URI matching, which is how a browser extension knows when to auto-fill logins, combined with unsecured auto-fill behaviour, can lead to two possible attack vectors.
The first is if an uncompromised website embeds an external iframe, which an attacker controls, and enables the ‘Auto-fill on page load’ option. The second is if an attacker hosts a web page under a subdomain.
“In our research, we confirmed that a couple of major websites provide this exact environment,” said Flashpoint. “If a user with a Bitwarden browser extension visits a specially crafted page hosted in these web services, an attacker is able to steal the credentials stored for the respective domain.”
Upon contacting Bitwarden, Flashpoint revealed, to its surprise, that the company knew about the issue as far back as November 2018.
Bitwarden published a Security Assessment Report in which the issue, named BWN-01-001 by the password manager, was detailed. Flashpoint researchers said that this means the issue has been documented and public for more than four years.
“Since Bitwarden does not check each iframe’s URL, it is possible for a website to have a malicious iframe embedded which Bitwarden will autofill with the 'top-level' website credentials,” the report read.
“Unfortunately, there are legitimate cases where websites will include iframe login forms from a separate domain than their 'parent' website’s domain.”
Bitwarden said in the report that no action was planned at the time.
“If a website is embedding a malicious iframe from another domain, we can assume that website (or device) is already in a compromised state and that efforts from Bitwarden to try to mitigate the leaking of credentials for that website would likely not help,” Flashpoint said. “Additionally, by default Bitwarden does not autofill information without a user’s consent.”
Flashpoint believes that Bitwarden’s 2018 assessment of the issue is invalid, due to how important compromised credentials are for attackers to gain access to a user or organisation. Researchers created and provided two examples to Bitwarden to show how the issue could be exploited.
Trend Micro security predictions for 2023
Prioritise cyber security strategies on capabilities rather than costs
Free DownloadBitwarden confirmed to IT Pro that it has been aware of the issue since 2018.
“Bitwarden accepts iframe auto-filling because many popular websites use this model, for example icloud.com uses an iframe from apple.com,” a spokesperson said. “So there are perfectly valid use cases where login forms are in an iframe under a different domain.”
The company added that the autofill feature described by Flashpoint is not enabled by default.
There is also a warning message that appears on the password manager which reads “>Warning: This feature is disabled by default because, while generally safe, compromised or untrusted websites could take advantage of this to steal credentials”.
Flashpoint said that Bitwarden plans to exclude the reported hosting environment from its auto-fill function, but doesn’t plan to make any changes to the way iframes work.
Only one attack vector has been addressed instead of the root cause of the issue, the researchers said.
“It should also be noted that a brief evaluation of other password manager extensions shows that none of those will auto-fill iframes from different origins or show warnings for iframes from different origins. This currently appears to be unique to Bitwarden’s product,” they added.
IT best practices for accelerating the journey to carbon neutrality
Considerations and pragmatic solutions for IT executives driving sustainable IT
Free DownloadThe Total Economic Impact™ of IBM Spectrum Virtualize
Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize
Free downloadUsing application migration and modernisation to supercharge business agility and resiliency
Modernisation can propel your digital transformation to the next generation
Free Download
