IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Bitwarden to release fix for four-year-old vulnerability

The password manager knew about the issue since 2018, exploits for which were highlighted in a Flashpoint report earlier in March

Bitwarden has confirmed it will soon be releasing a fix for a security vulnerability the company has known about for four years.

Researchers from Flashpoint identified earlier this month that the password manager’s autofill feature contained a flaw that could allow websites to steal users' passwords.

Bitwarden confirmed today that the fix is expected to be pushed to users next week.

The password manager will only fill in iframes from trusted domains if a user enables autofill on page load. These trusted domains include the same domain as a website or a URL the user has designated as safe.

Bitwarden said that autofill on page load remains 'off' by default. If a user fills in an untrusted iframe when using manual autofill, the password manager will flag an alert into the URI or URL to let the user decide whether to cancel or proceed with the operation.

“This eliminates the iframe attack vector while still allowing convenient autofill functionality for sites that have trusted iframes,” a spokesperson from Bitwarden told IT Pro.

IT Pro has asked the company why it decided to release the fix now even though it has known about the issue since 2018.

“I highly appreciate that the vendor decided to address this security issue," said Sven Krewitt, senior vulnerability researcher at Flashpoint. "The steps in the provided description of the fix should address the external iframe handling as the user is now in control of which iframes are filled by the extension (as opposed to filling all iframes by default). 

"Please note that while the behavior of the 'URI match detection' setting is documented, the default setting still leaves an attack vector for environments where users can host content under certain sub-domains," said Krewitt. "We still recommend setting the 'Default URI match detection' to at least check the 'Host'.”

In their original research, Flashpoint researchers found that the password manager was handling iframes embedded on a web page in an atypical manner.

Bitwarden would auto-fill forms in an embedded iframe even if they were from different domains.

By combining the autofill behaviour with URI matching, which is when the browser extension knows when to auto-fill logins, the researchers said that could lead to two different attack methods.

The first is if an attacker embeds an external iframe into an uncompromised website and enables the ‘Auto-fill on page load option’. The other is if an attacker hosts a web page under a subdomain.

In either case, the default implementation of Bitwarden could then auto-fill malicious web elements with credentials, presenting a security risk.

In their original report, Flashpoint researchers said that the password manager was planning to exclude the reported hosting environment from its auto-fill function, but wasn’t going to change how iframes work.

The researchers added that only one attack vector had been addressed through this fix, instead of the main cause of the issue.

“It should also be noted that a brief evaluation of other password manager extensions shows that none of those will auto-fill iframes from different origins or show warnings for iframes from different origins. This currently appears to be unique to Bitwarden’s product,” they added.

Featured Resources

Defending against malware attacks starts here

The ultimate guide to building your malware defence strategy

Free Download

Datto SMB cyber security for MSPs report

A world of opportunity for MSPs

Free Download

The essential guide to preventing ransomware attacks

Vital tips and guidelines to protect your business using ZTNA and SSE

Free Download

Medium businesses: Fuelling the UK’s economic engine

A Connected Thinking report

Free Download

Recommended

GoTo admits hackers stole customer backups in LastPass breach
hacking

GoTo admits hackers stole customer backups in LastPass breach

25 Jan 2023
LastPass customer password vaults stolen, targeted phishing attacks likely
Security

LastPass customer password vaults stolen, targeted phishing attacks likely

23 Dec 2022
LastPass admits 'elements' of customer data accessed in breach
hacking

LastPass admits 'elements' of customer data accessed in breach

1 Dec 2022
Revealed: The top 200 most common passwords of 2022
cyber security

Revealed: The top 200 most common passwords of 2022

17 Nov 2022

Most Popular

Getting the best value from your remote support software
Advertisement Feature

Getting the best value from your remote support software

13 Mar 2023
Microsoft set to block emails from unsupported Exchange servers
Security

Microsoft set to block emails from unsupported Exchange servers

28 Mar 2023
What the UK can learn from the rest of the world when it comes to the shift to IP
Sponsored

What the UK can learn from the rest of the world when it comes to the shift to IP

20 Mar 2023