Bitwarden’s credentials autofill feature contains risky behavior that could allow malicious iframes embedded in trusted websites to steal people’s credentials and send them to an attacker.

The issue was reported by analysts at Flashpoint, who said Bitwarden first learned of the issue in 2018, but opted to allow it to host legitimate sites using iframes.

Although the autofill feature is disabled on Bitwarden by default and the conditions for exploiting it are not plentiful, Flashpoint says there are still websites that meet the requirements that motivated malicious actors can attempt to exploit. exploit these flaws.

Autofill (un)conditional

Bitwarden is a popular open-source password manager service with a web browser extension that stores secrets such as usernames and account passwords in an encrypted vault.

When its users visit a website, the extension detects if there is a stored login for that domain and offers to fill in the credentials. If the autofill option is enabled, it automatically fills them when the page loads without the user having to do anything.

When analyzing Bitwarden, Flashpoint researchers found that the extension also auto-fills forms defined in embedded iframes, even those from external domains.

“Although the embedded iframe does not have access to any parent page content, it can wait for input in the login form and pass the entered credentials to a remote server without further user interaction”, explains Flashpoint.

Flashpoint investigated the frequency of embedding iframes on the login pages of high-traffic websites and reported that the number of risk cases was very low, which significantly reduced the risk.

However, a second issue discovered by Flashpoint when investigating the iframes issue is that Bitwarden will also auto-fill credentials on subdomains of the base domain corresponding to a login.

This means that an attacker hosting a phishing page under a subdomain that matches a stored login for a given base domain will capture credentials when the victim visits the page if autofill is enabled.

“Some content hosting providers allow arbitrary content to be hosted under a subdomain of their official domain, which also serves as their login page,” Flashpoint explains in The report.

“As an example, if a company has a login page at https://logins.company.tld and allows users to serve content under https://.company.tld, these users can steal credentials from Bitwarden Extensions.”

Registering a subdomain that matches the base domain of a legitimate website is not always possible, reducing the severity of the problem.

However, some services allow users to create subdomains to host content, such as free hosting services, and the attack is still possible via subdomain hijacking.

Bitwarden’s response

Bitwarden points out that the autofill feature is a potential risk and even includes an important warning in its Documentationspecifically mentioning the likelihood of compromised sites abusing the autofill feature to steal credentials.

This risk was first highlighted in a Security assessment dated November 2018, so Bitwarden has been aware of the security issue for some time now.

However, since users need to connect to services using embedded iframes from external domains, Bitwarden engineers decided to keep the behavior unchanged and add a warning on the software documentation and the extension’s relevant settings menu.

​

In response to Flashpoint’s second report on URI handling and how autofill handles subdomains, Bitwarden promised to block autofill on the reported hosting environment in a future update, but did not. does not plan to change the iframe functionality.

When BleepingComputer contacted Bitwarden about the security risk, they confirmed that they had been aware of this issue since 2018 but did not change the functionality because login forms on legitimate sites use iframes.

“Bitwarden supports iframe autofill because many popular websites use this template, e.g. icloud.com uses an iframe of apple.com“, Bitwarden told BleepingComputer in a statement.

“So there are perfectly valid use cases where the login forms are in an iframe under a different domain.”

“The feature described for autofill in the blog post is NOT enabled by default in Bitwarden and there is a warning message about this feature for exactly this reason in the product and in the help documentation. https://bitwarden.com/help/auto-fill-browser/#on-page-load.”