Bitwarden to release fix for four-year-old vulnerability
The password manager knew about the issue since 2018, exploits for which were highlighted in a Flashpoint report earlier in March


Bitwarden has confirmed it will soon be releasing a fix for a security vulnerability the company has known about for four years.
Researchers from Flashpoint identified earlier this month that the password manager’s autofill feature contained a flaw that could allow websites to steal users' passwords.
Bitwarden confirmed today that the fix is expected to be pushed to users next week.
The password manager will only fill in iframes from trusted domains if a user enables autofill on page load. These trusted domains include the same domain as a website or a URL the user has designated as safe.
Bitwarden said that autofill on page load remains 'off' by default. If a user fills in an untrusted iframe when using manual autofill, the password manager will flag an alert into the URI or URL to let the user decide whether to cancel or proceed with the operation.
“This eliminates the iframe attack vector while still allowing convenient autofill functionality for sites that have trusted iframes,” a spokesperson from Bitwarden told IT Pro.
IT Pro has asked the company why it decided to release the fix now even though it has known about the issue since 2018.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“I highly appreciate that the vendor decided to address this security issue," said Sven Krewitt, senior vulnerability researcher at Flashpoint. "The steps in the provided description of the fix should address the external iframe handling as the user is now in control of which iframes are filled by the extension (as opposed to filling all iframes by default).
"Please note that while the behavior of the 'URI match detection' setting is documented, the default setting still leaves an attack vector for environments where users can host content under certain sub-domains," said Krewitt. "We still recommend setting the 'Default URI match detection' to at least check the 'Host'.”
In their original research, Flashpoint researchers found that the password manager was handling iframes embedded on a web page in an atypical manner.
Bitwarden would auto-fill forms in an embedded iframe even if they were from different domains.
By combining the autofill behaviour with URI matching, which is when the browser extension knows when to auto-fill logins, the researchers said that could lead to two different attack methods.
The first is if an attacker embeds an external iframe into an uncompromised website and enables the ‘Auto-fill on page load option’. The other is if an attacker hosts a web page under a subdomain.
In either case, the default implementation of Bitwarden could then auto-fill malicious web elements with credentials, presenting a security risk.
In their original report, Flashpoint researchers said that the password manager was planning to exclude the reported hosting environment from its auto-fill function, but wasn’t going to change how iframes work.
The researchers added that only one attack vector had been addressed through this fix, instead of the main cause of the issue.
“It should also be noted that a brief evaluation of other password manager extensions shows that none of those will auto-fill iframes from different origins or show warnings for iframes from different origins. This currently appears to be unique to Bitwarden’s product,” they added.
Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.
-
HPE just announced huge changes to its channel programs
News HPE has announced the launch of HPE Partner Ready Vantage, a new unified channel program designed to help partners unlock new growth opportunities.
-
Customer service workers were first on the AI chopping block, but now enterprises are backtracking
News While businesses have been keen on replacing customer service workers with AI, adoption difficulties mean many are now backtracking on plans.
-
Intel makes high-level hires while factory workers are warned of layoffs
News The company is appointing four senior executives as part of efforts to refocus on engineering and customer relationships
-
UiPath names Simon Pettit as new AVP for UK and Ireland
News The seasoned leader will spearhead region-specific transformation projects as UiPath looks to drive operational growth and customer engagement
-
LastPass targets revenue opportunities with partner program refresh
News LastPass has announced a fresh round of enhancements to its channel partner program for 2025.
-
How to empower employees to accelerate emissions reduction
in depth With ICT accounting for as much as 3% of global carbon emissions, the same as aviation, the industry needs to increase emissions reduction
-
Worldwide IT spending to grow 4.3% in 2023, with no significant AI impact
News Spending patterns have changed as companies take an inward focus
-
Report: Female tech workers disproportionately affected by industry layoffs
News Layoffs continue to strike companies throughout the tech industry, with data showing females in both the UK and US are bearing the brunt of them more so than males
-
How can small businesses cope with inflation?
Tutorial With high inflation increasing the cost of doing business, how can small businesses weather the storm?
-
How to deal with inflation while undergoing digital transformation
In-depth How can organizations stave off inflation while attempting to grow by digitally transforming their businesses?