Four-year-old iframe flaw allows hackers to steal Bitwarden passwords

A close up shot of someone pressing a keyboard key on a laptop covered in blue and red lighting
(Image credit: Getty Images)

Bitwarden’s autofill feature contains a flaw which could allow websites to steal users’ passwords.

The password manager browser extension handles embedded iframes on a web page in an atypical manner, according to new research from cyber security firm Flashpoint.

Researchers found that Bitwarden’s browser extension auto-fills forms that are in an embedded iframe even if they are from different domains.

Inline frames - 'iframes' - are a common component of webpages and part of the HTML markup language. They allow web pages to include content from external sources.

various different types of content can be stored in an iframe, including simple interfaces with text fields to input login credentials.

“While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction,” stated Flashpoint.

The researchers explained that they are aware of regular, uncompromised, websites that use embedded external iframes for a number of reasons, including advertising.

“This means that an attacker does not necessarily need to compromise the website itself - they just need to be in control of the iframe content,” they explained.

Despite this, Flashpoint found that there weren’t many websites that embedded an iframe on the login page, which lowers the risk.

However, it also found that default URI matching, which is how a browser extension knows when to auto-fill logins, combined with unsecured auto-fill behaviour, can lead to two possible attack vectors.

The first is if an uncompromised website embeds an external iframe, which an attacker controls, and enables the ‘Auto-fill on page load’ option. The second is if an attacker hosts a web page under a subdomain.

“In our research, we confirmed that a couple of major websites provide this exact environment,” said Flashpoint. “If a user with a Bitwarden browser extension visits a specially crafted page hosted in these web services, an attacker is able to steal the credentials stored for the respective domain.”

Upon contacting Bitwarden, Flashpoint revealed, to its surprise, that the company knew about the issue as far back as November 2018.

Bitwarden published a Security Assessment Report in which the issue, named BWN-01-001 by the password manager, was detailed. Flashpoint researchers said that this means the issue has been documented and public for more than four years.

“Since Bitwarden does not check each iframe’s URL, it is possible for a website to have a malicious iframe embedded which Bitwarden will autofill with the 'top-level' website credentials,” the report read.

“Unfortunately, there are legitimate cases where websites will include iframe login forms from a separate domain than their 'parent' website’s domain.”

Bitwarden said in the report that no action was planned at the time.

“If a website is embedding a malicious iframe from another domain, we can assume that website (or device) is already in a compromised state and that efforts from Bitwarden to try to mitigate the leaking of credentials for that website would likely not help,” Flashpoint said. “Additionally, by default Bitwarden does not autofill information without a user’s consent.”

Flashpoint believes that Bitwarden’s 2018 assessment of the issue is invalid, due to how important compromised credentials are for attackers to gain access to a user or organisation. Researchers created and provided two examples to Bitwarden to show how the issue could be exploited.

RELATED RESOURCE

Trend Micro security predictions for 2023

Prioritise cyber security strategies on capabilities rather than costs

FREE DOWNLOAD

Bitwarden confirmed to IT Pro that it has been aware of the issue since 2018.

“Bitwarden accepts iframe auto-filling because many popular websites use this model, for example icloud.com uses an iframe from apple.com,” a spokesperson said. “So there are perfectly valid use cases where login forms are in an iframe under a different domain.”

The company added that the autofill feature described by Flashpoint is not enabled by default.

There is also a warning message that appears on the password manager which reads “>Warning: This feature is disabled by default because, while generally safe, compromised or untrusted websites could take advantage of this to steal credentials”.

Flashpoint said that Bitwarden plans to exclude the reported hosting environment from its auto-fill function, but doesn’t plan to make any changes to the way iframes work.

Only one attack vector has been addressed instead of the root cause of the issue, the researchers said.

“It should also be noted that a brief evaluation of other password manager extensions shows that none of those will auto-fill iframes from different origins or show warnings for iframes from different origins. This currently appears to be unique to Bitwarden’s product,” they added.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.