IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Four-year-old iframe flaw allows hackers to steal Bitwarden passwords

The password manager has known about the issue since 2018, publicising it in a report in 2018

Bitwarden’s autofill feature contains a flaw which could allow websites to steal users’ passwords.

The password manager browser extension handles embedded iframes on a web page in an atypical manner, according to new research from cyber security firm Flashpoint.

Researchers found that Bitwarden’s browser extension auto-fills forms that are in an embedded iframe even if they are from different domains.

Inline frames - 'iframes' - are a common component of webpages and part of the HTML markup language. They allow web pages to include content from external sources.

various different types of content can be stored in an iframe, including simple interfaces with text fields to input login credentials.

“While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction,” stated Flashpoint.

The researchers explained that they are aware of regular, uncompromised, websites that use embedded external iframes for a number of reasons, including advertising. 

“This means that an attacker does not necessarily need to compromise the website itself - they just need to be in control of the iframe content,” they explained.

Despite this, Flashpoint found that there weren’t many websites that embedded an iframe on the login page, which lowers the risk. 

However, it also found that default URI matching, which is how a browser extension knows when to auto-fill logins, combined with unsecured auto-fill behaviour, can lead to two possible attack vectors.

The first is if an uncompromised website embeds an external iframe, which an attacker controls, and enables the ‘Auto-fill on page load’ option. The second is if an attacker hosts a web page under a subdomain.

“In our research, we confirmed that a couple of major websites provide this exact environment,” said Flashpoint. “If a user with a Bitwarden browser extension visits a specially crafted page hosted in these web services, an attacker is able to steal the credentials stored for the respective domain.”

Upon contacting Bitwarden, Flashpoint revealed, to its surprise, that the company knew about the issue as far back as November 2018.

Bitwarden published a Security Assessment Report in which the issue, named BWN-01-001 by the password manager, was detailed. Flashpoint researchers said that this means the issue has been documented and public for more than four years.

“Since Bitwarden does not check each iframe’s URL, it is possible for a website to have a malicious iframe embedded which Bitwarden will autofill with the 'top-level' website credentials,” the report read.

“Unfortunately, there are legitimate cases where websites will include iframe login forms from a separate domain than their 'parent' website’s domain.”

Bitwarden said in the report that no action was planned at the time.

“If a website is embedding a malicious iframe from another domain, we can assume that website (or device) is already in a compromised state and that efforts from Bitwarden to try to mitigate the leaking of credentials for that website would likely not help,” Flashpoint said. “Additionally, by default Bitwarden does not autofill information without a user’s consent.”

Flashpoint believes that Bitwarden’s 2018 assessment of the issue is invalid, due to how important compromised credentials are for attackers to gain access to a user or organisation. Researchers created and provided two examples to Bitwarden to show how the issue could be exploited.

Related Resource

Trend Micro security predictions for 2023

Prioritise cyber security strategies on capabilities rather than costs

Whitepaper cover with distorted image of a female wearing a VR headsetFree Download

Bitwarden confirmed to IT Pro that it has been aware of the issue since 2018.

“Bitwarden accepts iframe auto-filling because many popular websites use this model, for example uses an iframe from,” a spokesperson said. “So there are perfectly valid use cases where login forms are in an iframe under a different domain.”

The company added that the autofill feature described by Flashpoint is not enabled by default.

There is also a warning message that appears on the password manager which reads “>Warning: This feature is disabled by default because, while generally safe, compromised or untrusted websites could take advantage of this to steal credentials”.

Flashpoint said that Bitwarden plans to exclude the reported hosting environment from its auto-fill function, but doesn’t plan to make any changes to the way iframes work.

Only one attack vector has been addressed instead of the root cause of the issue, the researchers said.

“It should also be noted that a brief evaluation of other password manager extensions shows that none of those will auto-fill iframes from different origins or show warnings for iframes from different origins. This currently appears to be unique to Bitwarden’s product,” they added.

Featured Resources

IT best practices for accelerating the journey to carbon neutrality

Considerations and pragmatic solutions for IT executives driving sustainable IT

Free Download

The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize

Free download

Using application migration and modernisation to supercharge business agility and resiliency

Modernisation can propel your digital transformation to the next generation

Free Download

The strategic CFO

Why finance transformation propels business value

Free Download

Most Popular

HMRC lost nearly 50% more devices in 2022

HMRC lost nearly 50% more devices in 2022

17 Mar 2023
The big PSTN switch off: What’s happening between now and 2025?

The big PSTN switch off: What’s happening between now and 2025?

13 Mar 2023
Outlook zero day patch causes headaches for Windows admins

Outlook zero day patch causes headaches for Windows admins

15 Mar 2023