Password management service Bitwarden has been found to have a potentially risky autofill feature that could be exploited by malicious iframes on trusted websites to steal user credentials.
Analysts at Flashpoint discovered the issue, which Bitwarden was made aware of in 2018 but chose to allow to accommodate legitimate sites that use iframes.
While the auto-fill feature is not enabled by default and the conditions required to exploit it are limited, motivated attackers could still try to take advantage of these flaws on some websites.
Bitwarden is an open-source service that stores encrypted usernames and passwords in a vault accessed via a browser extension. The extension fills in credentials automatically if the user visits a website with a stored login for that domain.
However, Flashpoint discovered that the extension also autofills forms in embedded iframes, even from external domains. While iframes on high-traffic login pages represent a very low-risk issue, Bitwarden’s feature can also autofill credentials on subdomains matching a login’s base domain.
This means an attacker could capture credentials when a victim visits a page with an enabled autofill feature.
Bitwarden has acknowledged the risk of autofill and warns users of the potential for compromised sites to exploit the feature. Bitwarden engineers have not changed the behaviour since users often need to log in to services using embedded iframes from external domains.
They have added a warning in the software’s documentation and the extension’s relevant settings menu. Bitwarden promised to block autofill on the reported hosting environment in a future update, but they do not plan on changing the iframe functionality.
Bitwarden says that they accept iframe autofilling because many popular websites use this model, but the feature is not enabled by default and includes a warning message for this reason.
