Bitwarden addresses autofill issue that could be exploited to steal logins
#1
Exclamation 
Quote:[Image: bitwarden-2.jpg]

Bitwarden plans to roll out an update to its applications soon that addresses an autofill issue that threat actors could exploit to steal login information.

Bitwarden is a popular password management solution that is available for all major desktop and mobile platforms, as well as on the web directly. Like many competing products, Bitwarden supports convenience features to make the life of its users easier.

One of these features is the ability to auto-fill login information on websites to sign the user in automatically. The functionality is not enabled by default, but users may enable it in the application's settings. To Bitwarden's credit, it displays a warning next to the setting that the feature could potentially be exploited by compromised or untrusted websites.

Flashpoint security researchers discovered an issue with auto-fill that could be exploited to steal login information passively. All a user would have to do is visit specifically prepared websites and have auto-fill enabled. Bitwarden's auto-fill solution works on iframes, which are embedded webpages, and also on subdomains. Flashpoint noted that attackers could exploit this to forward login information to remote servers.

Security Tip: find out how to back up your Bitwarden password database.

Bitwarden's fix

Bitwarden created a fix for the issue that is documented on the company's official GitHub website. Bitwarden engineers addressed the issue by changing how autofill on page load works. It will still fill out login data automatically, but only on trusted domains. When users fill out data manually, they do get a warning prompt if the iframe is untrusted.

In other words, Bitwarden's auto-fill functionality has the following characteristics now:
  • Auto-fill on page load is disabled, just like before.
  • When a user enables the feature, Bitwarden will use the feature only for trusted domains and URLs that the user added specifically to the application. Trusted domains include domains that match the URL the user visited in the browser.
  • Bitwarden users who use manual auto-fill, get a warning if they try to fill in an untrusted iframe. The application displays the URL in a popup, giving the user the option to proceed or cancel.
Bitwarden says that this "eliminates the iframe attack vector while still allowing convenient autofill functionality for sites that have trusted iframes".

Bitwarden users who have autofill on page load enabled do not need to do anything to benefit from the new feature. Next week's Bitwarden update includes the updated autofill on page load logic for all users of the password manager.

We have updated the original article to reflect the change.

Closing Words

Bitwarden reacted swiftly to the reports and has found a solution to keep the convenient feature while improving protection for its users.
...
Continue Reading
Reply
#2
Bitwarden's unlock with PIN feature is convenient, but also a security risk
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
Mozilla Firefox Browser 134.0
Mozilla Firefox Br...harlan4096 — 11:45
uBOLite_2025.1.7.268
uBOLite_2025.1.7.2...harlan4096 — 11:43
NVIDIA CES 2025 NEWS
NVIDIA announces DLS...harlan4096 — 08:10
NVIDIA CES 2025 NEWS
NVIDIA launches GeFo...harlan4096 — 08:10
NVIDIA CES 2025 NEWS
Watch NVIDIA CES 202...harlan4096 — 08:09

[-]
Birthdays
Today's Birthdays
avatar (44)StephenViedy
Upcoming Birthdays
avatar (49)theoldevext
avatar (44)algratCep
avatar (49)Qlaude2Sap
avatar (43)tabthinLem
avatar (50)Josepharelf
avatar (39)kholukrefar
avatar (48)Lauraimike
avatar (50)WilsonWag
avatar (48)StevenPiole
avatar (39)zetssToomy
avatar (46)GornOr
avatar (49)Jamesmog
avatar (37)opeqyrav
avatar (38)theatidere
avatar (47)denisEquivok
avatar (35)mikebrian01
avatar (37)ivanoFloom
avatar (40)uxegihor

[-]
Online Staff
There are no staff members currently online.

>