PSA: Hackers can steal a website’s username and password using an embedded iframe. It’s a vulnerability for all password managers, and most have addressed the flaw in various ways, including issuing warnings when users are on a login page with an iframe or don’t trust subdomains. The only exception is Bitwarden, which decided in 2018 that the threat wasn’t big enough to address.
On its support pages for “autofill” Bitwarden Advise Users turn off password auto-fill functionality in their browsers because it interferes with their password management solution. He also mentions that it’s a good idea because “experts generally agree that it’s built in [browser] Password managers are more vulnerable than dedicated solutions like Bitwarden,” which is generally true.
Unfortunately, a password filler program may not be much better than your browser. Security researchers at Flashpoint Discover Bitwarden’s autofill extension treats websites with inline frames in an insecure manner. A basic understanding of iframes is required to understand this vulnerability.
Website developers use the inline frame element, or iframe, to embed a portion of another web page into their site. For example, TechSpot uses iframes to embed YouTube videos in their articles. It can also be used to embed web forms. In general, iframes are safe to use as long as the embedded material is not hacked from the external website, and this is where managers run into trouble.
By design, password extensions automatically fill in credentials on any web page where users have saved their credentials. They can even proactively fill out a login form without user interaction. In Bitwarden’s thesis, there is a setting called “auto-fill on page load”. However, the extension will perform this functionality in an iframe without performing a “same-origin” check. So if the page contains a malicious iframe from a different domain, the manager will inadvertently hand over your credentials to send to the hacker’s server.
Proof of concept showing Bitwarden auto-populating legitimate and “malicious” iframe fields simultaneously.
Most password managers have checks to at least warn users of potential dangers. However, Bitwarden does not block or warn that an iframe from a different domain might steal credentials. It assumes that all iframes on the login page are secure. This was stated in a 2018 security report, but more on that later.
Of course, this can only happen if the trusted website is actually hacked, right? According to Flashpoint, this isn’t necessarily true.
Obviously, if hackers gain enough of a foothold to embed an iframe on a legitimate website, users will have bigger problems than this vulnerability on their hands. There is little any password management extension can do in this scenario. However, some legitimate websites use templates from another domain, embedding them in an iframe. If hackers can crack the secondary source, they have a proxy to steal information from the trusted website.
Flashpoint admits this is a rare scenario and confirmed it with a spot check of several sites that use iframes on their login pages. However, there is another problem. Bitwarden’s default URI matching (Uniform Resource Identifier) is set to Primary Domain. So the extension will provide password autofill as long as the top level and second level domains match.
The problem is that many hosting services allow users to host “random content” under a subdomain which makes it relatively easy to spoof a login page.
For example, if a company has a login page at https://logins.company.tld and allows users to submit content under https://[clientname]Flashpoint said, “. company.tld, these users can steal credentials from Bitwarden extensions.” In our research, we have confirmed that two major websites provide this microenvironment. If a user with the Bitwarden browser extension visits a specially designed page hosted in these web services, an attacker can steal credentials stored for the domain in question. “
Curiously, when Flashpoint reached out to Bitwarden about this vulnerability to coordinate disclosure, the company indicated that it had been aware of it since 2018.
“Because Bitwarden does not check the URL for every iframe, it is possible that a website might contain a malicious iframe, which Bitwarden will automatically populate with the website’s ‘top-level’ credentials,” Company 2018 Security assessment report is reading. “Unfortunately, there are legitimate cases where websites will include iframe login forms from a domain separate from the domain of the ‘parent’ website. No action is planned at this time.”
In other words, Bitwarden understands the problem but deems the risk acceptable enough to do nothing about it, even if it’s as simple as having an extension version warning when an iframe is present on the page. Flashpoint found this inexplicable given that all of Bitwarden’s competitors had some form of mitigation for this exploit.
The researchers created a proof-of-concept using the flaw as an attack vector and an “exploit” that they privately implemented on a “prominent hosting environment”. They’re hoping the developers at Bitwarden will change their minds about this issue since no one created such vulnerabilities back in 2018 when the company initially evaluated the vulnerability. Until Bitwarden addresses the vulnerability, you can do a few things to mitigate it without switching password managers.
First, turn off the “Autofill on page load” setting of the extension. You will have to manually turn on the autofill feature all the time. However, it does give you some breathing space to lose sight of the login page without immediately handing over your credentials to the iframe. This is actually a good tip for any password manager extension that features proactive autofill.
Second, use this pause to ensure that you are on a trusted domain and that the page is what it appears to be. Look at the URL to make sure you’re on the correct domain or subdomain and that nothing suspicious is going on. For example, something like “login.wellsfargo.com” is likely to be legitimate, while “creditx257.wellsfargo.com” is likely not.
These steps won’t protect you from sites using hacked external web forms, but Flashpoint noted that these scenarios are rare. There’s no reason to give up using a password manager, even Bitwarden. Managers are well suited to help you keep your credentials in order. It’s always better to have lots of strong passwords that are hard to remember and unique to each website than to reuse weak passwords.