Bitwarden Password Manager Flaw Let Attackers Steal Credentials

The Flashpoint Vulnerability Research team observed that Bitwarden, a well-known password manager browser extension, treated embedded iframes on web pages in an unusual way.

Insecure behavior in Bitwarden’s credentials autofill feature makes it possible for malicious iframes embedded on reliable websites to take advantage of users’ credentials and pass them to an attacker.

The HTML element defines a nested browsing environment, embedding another HTML page into the current one, according to the Mozilla HTML documentation.</p> <p>Bitwarden first became aware of the issue in 2018 but decided to support it in order to support legitimate websites that employ iframes.</p> <div class="td-a-rec td-a-rec-id-content_inline tdi_3 td_block_template_11"> <p><img decoding="async" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBKiswXdKF8gY-LMgugufSvWPW4H2fPJXr9wrS9H0CB_LnAGA_d0fmhuzTIIFjoWfgTxo3mwCB89m0yo4z7qIiZI8Xj6BGboY1gsz7o8udwtJCYn8Dd_ognkc1JdF4AJ9wiA2mn_aiDRDoZpBO8XZ9jXGF-_2JVa_-j4rnn6m-6StX_UKemLyfi1AFQw/s16000/reimagine%20ZTNA%20new%20banner.png " alt="EHA"/></div> <h2 id="h-auto-fill-behavior-in-bitwarden"><strong>Auto-Fill Behavior in Bitwarden</strong></h2> <p>The Bitwarden extension can offer to fill in the appropriate login fields when it recognizes that a user is on a website for which they have saved credentials. </p> <p>If the “Auto-fill on page load” option is selected, it will complete itself without requiring user input.</p> <div class="wp-block-image"> <figure class="aligncenter"><img decoding="async" src="https://lh5.googleusercontent.com/V_oavWXVfUdbdwybmQvNZDUjdCo9pFq96Yj3K20GZUhEljrJisEeH6nmQhfBbv6HGfOR-mGkZBDt5tUx83I6gh4K9QwJCArwQ4WyS-UPmTT8UE5qNCgWhp5tUAYWzmH1X4k71n2avKcGmwoubU0ZpQ" alt=""/><figcaption class="wp-element-caption">Completing the login forms on both the legitimate website and the external iframe</figcaption></figure> </div> <p>Curiously, even though they are from distinct domains, the extensions also automatically auto-fill forms that are defined in an embedded iframe.</p> <p>“While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction”, says Flashpoint.</p> <p>Flashpoint looked at how frequently iframes are included on login pages of high-traffic websites and found that the risk was significantly reduced by the small number of risky scenarios.</p> <p>Indeed, Flashpoint also found a second problem while looking into the iframes issue: Bitwarden would also automatically fill login information on subdomains of the base domain matching a login.</p> <p>If autofill is enabled, an attacker who hosts a phishing page under a subdomain that corresponds to a login stored for a specific base domain will be able to obtain the credentials from the victim as soon as they arrive at the page.</p> <p>“If you have encountered your fair share of web solutions and content providers, it becomes clear that this poses a problem. Some content hosting providers allow hosting arbitrary content under a subdomain of their official domain, which also serves their login page”, Flashpoint explains.</p> <p>“As an example, should a company have a login page at https://logins.company.tld and allow users to serve content under https://<clientname>.company.tld, these users are able to steal credentials from the Bitwarden extensions.”</p> <h2><strong>Potential Attack Methods</strong></h2> <ul> <li>An unhacked website with the “Auto-fill on page load” option turned on embeds an external iframe that is in the hands of an attacker.</li> <li>Using a subdomain of, say, a hosting company, which has its login form under the same base domain, an attacker installs a specially crafted web page.</li> </ul> <p>Hence, an attacker is possible to steal the credentials kept for each domain if a user using a Bitwarden browser extension visits a specially crafted page housed in these web services.</p> <p>As previously noted, no additional user input is needed if the option to “Auto-fill on page load” is activated. Also, when a user logs in via the context menu, forms that are embedded in iframes also get filled.</p> <p>Bitwarden expressly mentions the possibility of compromised sites utilizing the autofill feature to steal credentials in its documentation and emphasizes that the feature is a potential danger.</p> <p class="has-background" style="background-color:#f4f4f4">However because users must log in to services using embedded iframes from external sites, Bitwarden’s engineers chose to maintain the behavior and put a warning on the software’s documentation and the extension’s pertinent settings menu.</p> <p>In response, Bitwarden stated that they would not change the functionality of iframes but would promise to block autofill on the reported hosting environment in a future release.</p> <p class="has-text-align-center has-background" style="background-color:#f4f4f4"><strong>Network Security Checklist – Download Free E-Book</strong></p> <p> </div> <p><br /> <br /><a href="https://cybersecuritynews.com/bitwarden-password-manager-flaw/">Source link </a></p> </div> </div> </article> <nav class="navigation post-navigation" aria-label="Posts"> <h2 class="screen-reader-text">Post navigation</h2> <div class="nav-links"><div class="nav-previous"><a href="https://cybernoz.com/uk-cyber-week-it-security-guru/" rel="prev">UK Cyber Week – IT Security Guru →</a></div><div class="nav-next"><a href="https://cybernoz.com/protecting-collocated-servers-from-ddos-attacks-using-gre-tunnels/" rel="next">← Protecting collocated servers from DDoS attacks using GRE tunnels</a></div></div> </nav> <div class="clear"></div> </div> </div> </div> </div> <div class="gridhot-sidebar-one-wrapper gridhot-sidebar-widget-areas gridhot-clearfix" id="gridhot-sidebar-one-wrapper" itemscope="itemscope" itemtype="http://schema.org/WPSideBar" role="complementary"> <div class="theiaStickySidebar"> <div class="gridhot-sidebar-one-wrapper-inside gridhot-clearfix"> <div id="block-3" class="gridhot-side-widget widget gridhot-widget-box widget_block"><div class="gridhot-widget-box-inside"> <div class="wp-block-group"><div class="wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow"> <h2 class="wp-block-heading">Latest Posts</h2> <ul class="wp-block-latest-posts__list wp-block-latest-posts"><li><a class="wp-block-latest-posts__post-title" href="https://cybernoz.com/cisa-warns-of-actively-exploited-apache-hugegraph-server-bug/">CISA warns of actively exploited Apache HugeGraph-Server bug</a></li> <li><a class="wp-block-latest-posts__post-title" href="https://cybernoz.com/suspects-behind-230-million-cryptocurrency-theft-arrested-in-miami/">Suspects behind $230 million cryptocurrency theft arrested in Miami</a></li> <li><a class="wp-block-latest-posts__post-title" href="https://cybernoz.com/how-to-reduce-cyber-risk-during-employee-onboarding/">How to reduce cyber risk during employee onboarding</a></li> <li><a class="wp-block-latest-posts__post-title" href="https://cybernoz.com/germany-seizes-47-crypto-exchanges-used-by-ransomware-gangs/">Germany seizes 47 crypto exchanges used by ransomware gangs</a></li> <li><a class="wp-block-latest-posts__post-title" href="https://cybernoz.com/tor-anonymity-compromised-by-law-enforcement-is-it-still-safe-to-use/">Tor anonymity compromised by law enforcement. Is it still safe to use?</a></li> </ul></div></div> </div></div><div id="custom_html-2" class="widget_text gridhot-side-widget widget gridhot-widget-box widget_custom_html"><div class="widget_text gridhot-widget-box-inside"><div class="gridhot-widget-header"><div class="gridhot-widget-header-inside"><h2 class="gridhot-widget-title"><span class="gridhot-widget-title-inside">Social?</span></h2></div></div><div class="textwidget custom-html-widget"><script type="text/javascript"> atOptions = { 'key' : 'd763fe6a6c5ebe5ea235b8650bdb1880', 'format' : 'iframe', 'height' : 600, 'width' : 160, 'params' : {} }; </script> <script type="text/javascript" src="//www.topcreativeformat.com/d763fe6a6c5ebe5ea235b8650bdb1880/invoke.js"></script></div></div></div> </div> </div> </div> </div> </div> </div> <div class='gridhot-clearfix' id='gridhot-copyright-area'> <div class='gridhot-copyright-area-inside gridhot-container'> <div class="gridhot-outer-wrapper"> <div class='gridhot-copyright-area-inside-content gridhot-clearfix'> <p class='gridhot-copyright'>Copyright © 2024 Cybernoz</p> <p class='gridhot-credit'><a href="https://themesdna.com/">Design by ThemesDNA.com</a></p> </div> </div> </div> </div> <button class="gridhot-scroll-top" title="Scroll to Top"><i class="fas fa-arrow-up" aria-hidden="true"></i><span class="gridhot-sr-only">Scroll to Top</span></button> <link rel='stylesheet' id='whp4163tw-bs4.css-css' href='https://cybernoz.com/wp-content/plugins/wp-security-hardening/modules/inc/assets/css/tw-bs4.css' type='text/css' media='all' /> <link rel='stylesheet' id='whp7974font-awesome.min.css-css' href='https://cybernoz.com/wp-content/plugins/wp-security-hardening/modules/inc/fa/css/font-awesome.min.css' type='text/css' media='all' /> <link rel='stylesheet' id='whp1837front.css-css' href='https://cybernoz.com/wp-content/plugins/wp-security-hardening/modules/css/front.css' type='text/css' media='all' /> <script type="text/javascript" src="https://cybernoz.com/wp-includes/js/dist/hooks.min.js" id="wp-hooks-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-includes/js/dist/i18n.min.js" id="wp-i18n-js"></script> <script type="text/javascript" id="wp-i18n-js-after"> /* <![CDATA[ */ wp.i18n.setLocaleData( { 'text direction\u0004ltr': [ 'ltr' ] } ); /* ]]> */ </script> <script type="text/javascript" src="https://cybernoz.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js" id="swv-js"></script> <script type="text/javascript" id="contact-form-7-js-extra"> /* <![CDATA[ */ var wpcf7 = {"api":{"root":"https:\/\/cybernoz.com\/wp-json\/","namespace":"contact-form-7\/v1"}}; /* ]]> */ </script> <script type="text/javascript" src="https://cybernoz.com/wp-content/plugins/contact-form-7/includes/js/index.js" id="contact-form-7-js"></script> <script type="text/javascript" id="swcfpc_auto_prefetch_url-js-before"> /* <![CDATA[ */ function swcfpc_wildcard_check(str, rule) { let escapeRegex = (str) => str.replace(/([.*+?^=!:${}()|\[\]\/\\])/g, "\\$1"); return new RegExp("^" + rule.split("*").map(escapeRegex).join(".*") + "$").test(str); } function swcfpc_can_url_be_prefetched(href) { if( href.length == 0 ) return false; if( href.startsWith("mailto:") ) return false; if( href.startsWith("https://") ) href = href.split("https://"+location.host)[1]; else if( href.startsWith("http://") ) href = href.split("http://"+location.host)[1]; for( let i=0; i < swcfpc_prefetch_urls_to_exclude.length; i++) { if( swcfpc_wildcard_check(href, swcfpc_prefetch_urls_to_exclude[i]) ) return false; } return true; } let swcfpc_prefetch_urls_to_exclude = '["\/*ao_noptirocket*","\/*jetpack=comms*","\/*kinsta-monitor*","*ao_speedup_cachebuster*","\/*removed_item*","\/my-account*","\/wc-api\/*","\/edd-api\/*","\/wp-json*"]'; swcfpc_prefetch_urls_to_exclude = (swcfpc_prefetch_urls_to_exclude) ? JSON.parse(swcfpc_prefetch_urls_to_exclude) : []; /* ]]> */ </script> <script type="module" src="https://cybernoz.com/wp-content/plugins/wp-cloudflare-page-cache/assets/js/instantpage.min.js" defer id="swcfpc_instantpage-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-content/themes/gridhot/assets/js/jquery.fitvids.min.js" id="fitvids-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-content/themes/gridhot/assets/js/ResizeSensor.min.js" id="ResizeSensor-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-content/themes/gridhot/assets/js/theia-sticky-sidebar.min.js" id="theia-sticky-sidebar-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-content/themes/gridhot/assets/js/navigation.js" id="gridhot-navigation-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-content/themes/gridhot/assets/js/skip-link-focus-fix.js" id="gridhot-skip-link-focus-fix-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-includes/js/imagesloaded.min.js" id="imagesloaded-js"></script> <script type="text/javascript" id="gridhot-customjs-js-extra"> /* <![CDATA[ */ var gridhot_ajax_object = {"ajaxurl":"https:\/\/cybernoz.com\/wp-admin\/admin-ajax.php","primary_menu_active":"1","secondary_menu_active":"1","sticky_sidebar_active":"1","fitvids_active":"1","backtotop_active":"1"}; /* ]]> */ </script> <script type="text/javascript" src="https://cybernoz.com/wp-content/themes/gridhot/assets/js/custom.js" id="gridhot-customjs-js"></script> <script type="text/javascript" id="gridhot-html5shiv-js-js-extra"> /* <![CDATA[ */ var gridhot_custom_script_vars = {"elements_name":"abbr article aside audio bdi canvas data datalist details dialog figcaption figure footer header hgroup main mark meter nav output picture progress section summary template time video"}; /* ]]> */ </script> <script type="text/javascript" src="https://cybernoz.com/wp-content/themes/gridhot/assets/js/html5shiv.js" id="gridhot-html5shiv-js-js"></script> <script id="swcfpc"> const swcfpc_prefetch_urls_timestamp_server = '1726789544'; let swcfpc_prefetched_urls = localStorage.getItem("swcfpc_prefetched_urls"); swcfpc_prefetched_urls = (swcfpc_prefetched_urls) ? JSON.parse(swcfpc_prefetched_urls) : []; let swcfpc_prefetch_urls_timestamp_client = localStorage.getItem("swcfpc_prefetch_urls_timestamp_client"); if (swcfpc_prefetch_urls_timestamp_client == undefined || swcfpc_prefetch_urls_timestamp_client != swcfpc_prefetch_urls_timestamp_server) { swcfpc_prefetch_urls_timestamp_client = swcfpc_prefetch_urls_timestamp_server; swcfpc_prefetched_urls = new Array(); localStorage.setItem("swcfpc_prefetched_urls", JSON.stringify(swcfpc_prefetched_urls)); localStorage.setItem("swcfpc_prefetch_urls_timestamp_client", swcfpc_prefetch_urls_timestamp_client); } function swcfpc_element_is_in_viewport(element) { let bounding = element.getBoundingClientRect(); if (bounding.top >= 0 && bounding.left >= 0 && bounding.right <= (window.innerWidth || document.documentElement.clientWidth) && bounding.bottom <= (window.innerHeight || document.documentElement.clientHeight)) return true; return false; } function swcfpc_prefetch_urls() { let comp = new RegExp(location.host); document.querySelectorAll("a").forEach((item) => { if (item.href) { let href = item.href.split("#")[0]; if (swcfpc_can_url_be_prefetched(href) && swcfpc_prefetched_urls.includes(href) == false && comp.test(item.href) && swcfpc_element_is_in_viewport(item)) { swcfpc_prefetched_urls.push(href); //console.log( href ); let prefetch_element = document.createElement('link'); prefetch_element.rel = "prefetch"; prefetch_element.href = href; document.getElementsByTagName('body')[0].appendChild(prefetch_element); } } }) localStorage.setItem("swcfpc_prefetched_urls", JSON.stringify(swcfpc_prefetched_urls)); } window.addEventListener("load", function(event) { swcfpc_prefetch_urls(); }); window.addEventListener("scroll", function(event) { swcfpc_prefetch_urls(); }); </script> </body> </html><script src="/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js" data-cf-settings="02cf6a50118b9c0b06a8f901-|49" defer></script>