Bitwarden to release fix for four-year-old vulnerability

A person on a laptop to depict hacking
Shutterstock (Image credit: Shutterstock)

Bitwarden has confirmed it will soon be releasing a fix for a security vulnerability the company has known about for four years.

Researchers from Flashpoint identified earlier this month that the password manager’s autofill feature contained a flaw that could allow websites to steal users' passwords.

Bitwarden confirmed today that the fix is expected to be pushed to users next week.

The password manager will only fill in iframes from trusted domains if a user enables autofill on page load. These trusted domains include the same domain as a website or a URL the user has designated as safe.

Bitwarden said that autofill on page load remains 'off' by default. If a user fills in an untrusted iframe when using manual autofill, the password manager will flag an alert into the URI or URL to let the user decide whether to cancel or proceed with the operation.

“This eliminates the iframe attack vector while still allowing convenient autofill functionality for sites that have trusted iframes,” a spokesperson from Bitwarden told IT Pro.

IT Pro has asked the company why it decided to release the fix now even though it has known about the issue since 2018.

“I highly appreciate that the vendor decided to address this security issue," said Sven Krewitt, senior vulnerability researcher at Flashpoint. "The steps in the provided description of the fix should address the external iframe handling as the user is now in control of which iframes are filled by the extension (as opposed to filling all iframes by default).

"Please note that while the behavior of the 'URI match detection' setting is documented, the default setting still leaves an attack vector for environments where users can host content under certain sub-domains," said Krewitt. "We still recommend setting the 'Default URI match detection' to at least check the 'Host'.”

In their original research, Flashpoint researchers found that the password manager was handling iframes embedded on a web page in an atypical manner.

Bitwarden would auto-fill forms in an embedded iframe even if they were from different domains.

By combining the autofill behaviour with URI matching, which is when the browser extension knows when to auto-fill logins, the researchers said that could lead to two different attack methods.

The first is if an attacker embeds an external iframe into an uncompromised website and enables the ‘Auto-fill on page load option’. The other is if an attacker hosts a web page under a subdomain.

In either case, the default implementation of Bitwarden could then auto-fill malicious web elements with credentials, presenting a security risk.

In their original report, Flashpoint researchers said that the password manager was planning to exclude the reported hosting environment from its auto-fill function, but wasn’t going to change how iframes work.

The researchers added that only one attack vector had been addressed through this fix, instead of the main cause of the issue.

“It should also be noted that a brief evaluation of other password manager extensions shows that none of those will auto-fill iframes from different origins or show warnings for iframes from different origins. This currently appears to be unique to Bitwarden’s product,” they added.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.