Bitwarden's password manager browser extension has a known exploit it hasn't addressed...

Cal Jeffrey

Posts: 4,124   +1,402
Staff member
PSA: Hackers can steal your username and password for a website using an embedded iframe. It's a weakness for all password managers, and most have addressed the flaw in various ways, including issuing warnings when users are on a login page with an iframe or not trusting subdomains. Bitwarden is the sole exception, having determined in 2018 that the threat was not significant enough to address.

Update (March 17): A Bitwarden spokesperson contacted TechSpot to inform us that it is taking measures to mitigate the autofill vulnerability. The company did not explain why it waited five years to address the issue but did say it merged the fix request on GitHub and that the patch would be ready next week.

The company said it would make two specific changes.

First, if a user enables the autofill on page load setting, Bitwarden will only fill in iframes from trusted domains, such as the same domain as the website or a specific URL the user has proactively added to their item. Second, if the user tries to fill in an untrusted iframe using manual autofill, Bitwarden displays an alert to the URI/URL they are trying to autofill and allows them to either cancel or proceed.

So essentially, Bitwarden will implement process breaks and warnings like other password managers.

In its support pages regarding "Auto-fill," Bitwarden advises users to turn off their browsers' password autofill functions because they interfere with its password management solution. It also mentions it is a good idea because "experts generally agree that built-in [browser] password managers are more vulnerable than dedicated solutions like Bitwarden," which is generally true.

Unfortunately, its password filler might not be much better than your browser's. Security researchers at Flashpoint discovered that Bitwarden's autofill extension handles websites with embedded iframes in an unsafe manner. A basic understanding of iframes is needed to understand this vulnerability.

Website developers use the inline frame element, or iframe, to embed part of another webpage into their site. For example, TechSpot uses iframes to embed YouTube videos into its articles. It can also be used to embed web forms. Generally, iframes are safe to use as long as the embedded material from the external website has not been compromised, and this is where managers have a problem.

Password extensions autofill credentials on any webpage users have saved their credentials by design. However, the extension will perform this function in an iframe without performing a "Same-origin Policy" check. So if a page has a malicious iframe from a different domain, the manager will unknowingly hand over your credentials for them to be sent to a hacker's server. They can even fill out the login form pre-emptively without user interaction. In Bitwarden's this is a setting called "Auto-fill on page load."

Most password managers have checks in place to at least warn users of potential dangers. However, Bitwarden does not prevent or warn that an iframe from a different domain is potentially stealing credentials. It assumes that all iframes on a login page are safe. It said as much in a 2018 security report, but more on that later.

Of course, this could only happen if the trusted website is already compromised, right? According to Flashpoint, that's not necessarily true.

Obviously, if hackers have gained enough of a foothold to embed an iframe on a legitimate website, users have bigger problems than this weakness on their hands. There is little that any password management extension could do in that scenario. However, some legitimate websites use forms from another domain, embedding them with an iframe. If hackers can compromise the secondary source, they have a proxy for stealing information from the trusted website.

Flashpoint admits this is a rare scenario and confirmed that with a spot-check of several sites using iframes on their login pages. However, there is another problem. Bitwarden's default URI (Uniform Resource Identifier) matching is set to "Base domain." So the extension will provide password autofill as long as the top-level and second-level domains match.

The problem is that several hosting services allow users to host "arbitrary content" under a subdomain making it relatively easy to spoof a login page.

"As an example, should a company have a login page at https://logins.company.tld and allow users to serve content under https://[clientname].company.tld, these users are able to steal credentials from the Bitwarden extensions," said Flashpoint. "In our research, we confirmed that a couple of major websites provide this exact environment. If a user with a Bitwarden browser extension visits a specially crafted page hosted in these web services, an attacker is able to steal the credentials stored for the respective domain."

Oddly, when Flashpoint contacted Bitwarden about this weakness to coordinate disclosure, the company pointed out that it has known about it since 2018.

"Since Bitwarden does not check each iframe's URL, it is possible for a website to have a malicious iframe embedded, which Bitwarden will autofill with the 'top-level' website credentials," the company's 2018 Security Assessment Report reads. "Unfortunately, there are legitimate cases where websites will include iframe login forms from a separate domain than their 'parent' website's domain. No action is planned at this time."

In other words, Bitwarden is aware of the problem but deems the risk acceptable enough not to do anything about it, even if it were as simple as having the extension issue a warning when there is an iframe on a page. Flashpoint found this inexplicable since all of Bitwarden's competitors have some form of mitigation for this exploit.

The researchers created a proof of concept using the flaw as an attack vector and a "working exploit" they implemented privately on a "prominent hosting environment." They hope that developers at Bitwarden will change their minds about the issue since nobody had created such exploits in 2018 when the company initially assessed the weakness. Until Bitwarden addresses the vulnerability, you can do a couple of things to mitigate it without switching password managers.

First, turn off the extension's "Auto-fill on page load" setting. You will have to trigger the autofill feature manually all the time. However, it gives you some breathing room to inspect the login page without immediately handing your credentials over to an iframe. That is actually good advice for any password manager extension featuring preemptive autofill.

Second, use that pause to be sure you are on a trusted domain and that the page is what it seems. Look at the URL to ensure you are on the correct domain or subdomain and that nothing appears suspicious. For instance, something like "login.wellsfargo.com" is probably legit, whereas "credx257.wellsfargo.com" likely isn't.

These steps will still not protect you from sites that use compromised external web forms, but Flashpoint noted that those scenarios are rare. It's no reason to give up using a password manager, even Bitwarden. Managers are well-suited to help you keep your credentials straight. It's always better to have tons of solid hard-to-remember passwords unique to every website than to reuse weak ones.

Permalink to story.

 
"First, turn off the extension's "Auto-fill on page load" setting."

The default setting is already OFF.
Exactly, I use the extension all the time, and it's already off, and if an iframe on a website is compromised, you already have bigger issues, never mind a password manager auto filling
 
Surprise, surprise. Yet another company that contributes to dark web content - at least as I see it.

My password manager is a zipped, password-protected file stored on my firewall protected local server - that has no open ports to anything.

If web sites of any service that requires a login would stop enforcing complexity rules, and on top of that, allow passwords of 30 or more characters in length, then users would be able to easily use the most current NIST Guidelines. These guidelines allow users to create easily remembered phrases that are long enough to thwart attempts to crack them, even computerized, I.e., GPU, based solutions. And here's a good page that talks about how effective these rules are. Of course, the site has to properly store the passwords, or this is meaningless.

@Cal Jeffrey TS, IMO, meets the current NIST guidelines. My password is a 28-character phrase that I easily remember and is highly unlikely to be hacked by anyone. Thanks. (Not that a TS account needs to be as secure as a bank account.)
 
Guess who has special code embedded into web pages of every popular web site on the planet?
Google.

So, aside from physical locations you visited in the last 10 years, your interests, your emails, your schedules, your sexual preferences, your car make, model, production date and location, it also knows all of your passwords.

Google also gave us Google Authenticator. Completely free of charge (aren't they nice). So they know your username, email, password and authentication code. But hey, that's okay, because Google would never use it against you, right?

Except that Google is not a being. It's an organization made of many beings. It's hard to know how many individuals who work for Google (or can use someone who works for Google) have access to all of your data, all verified and authenticated "by you".
 
Surprise, surprise. Yet another company that contributes to dark web content - at least as I see it.

My password manager is a zipped, password-protected file stored on my firewall protected local server - that has no open ports to anything.

If web sites of any service that requires a login would stop enforcing complexity rules, and on top of that, allow passwords of 30 or more characters in length, then users would be able to easily use the most current NIST Guidelines. These guidelines allow users to create easily remembered phrases that are long enough to thwart attempts to crack them, even computerized, I.e., GPU, based solutions. And here's a good page that talks about how effective these rules are. Of course, the site has to properly store the passwords, or this is meaningless.

@Cal Jeffrey TS, IMO, meets the current NIST guidelines. My password is a 28-character phrase that I easily remember and is highly unlikely to be hacked by anyone. Thanks. (Not that a TS account needs to be as secure as a bank account.)

A password protected file behind a firewall, eh? You do realize your stuff would be safer in a password manager, right? You might as well keep it on a post-it on your front lawn, for all the security you have. Also, phrases are very easily guessed, they have lists for those. Randomized passwords of sufficient length are essentially uncrackable, even by quantum computer estimates, ya know....cause physics.

I use a password manager, with passwords 24 characters or more, entirely randomized (including my master password). The ONLY concern for me is an actual infection and since I don't download anything on my PC, that threat is eliminated. Password managers are awesome, when used properly. Best IT invention since the creation of "The Internet".
 
Surprise, surprise. Yet another company that contributes to dark web content - at least as I see it.

My password manager is a zipped, password-protected file stored on my firewall protected local server - that has no open ports to anything.

If web sites of any service that requires a login would stop enforcing complexity rules, and on top of that, allow passwords of 30 or more characters in length, then users would be able to easily use the most current NIST Guidelines. These guidelines allow users to create easily remembered phrases that are long enough to thwart attempts to crack them, even computerized, I.e., GPU, based solutions. And here's a good page that talks about how effective these rules are. Of course, the site has to properly store the passwords, or this is meaningless.

@Cal Jeffrey TS, IMO, meets the current NIST guidelines. My password is a 28-character phrase that I easily remember and is highly unlikely to be hacked by anyone. Thanks. (Not that a TS account needs to be as secure as a bank account.)

If your server has no open ports, how do you access the password protected file from a different device?
 
I just don't get the huge concern. As mentioned earlier in a comment - auto-fill is DISABLED by default, along with a WARNING: that says if you enable this - compromised websites can exploit this functionality (even the article from Flashpoint states this).

However, if one wanted to see where this is a problem... Here's a Reddit post where a user is hosting a PoC page. http://132.145.97.144/login.html
Two logins that are hosted on two different domains. You tell BitWarden what creds for the first one and both are auto-populated - even though only the 1st domain is the one with the creds. (login doesn't actually work - you tell BW that the creds are admin/password - and you'll see what happens).

Though what's not clear from the article is the behavior of all the other password managers.
 
Last edited:
My password manager is a zipped, password-protected file stored on my firewall protected local server - that has no open ports to anything.
Why are you showing off about your messy “password manager”? How do you check your passwords? You first have to unzip your “password manager”. Even if you do it on the fly, there is an unzip process to a temporary folder, so that means that the only way to check your “secured” passwords is decompress and write to disk your plain text passwords. Even if you remove it, they are easily recoverable unless you use some “shred” tool.

So you are exposing all your passwords every time you need to access, update, create or remove one of them. And you come here, bragging as a security expert? Okay, whatever.

How is that remotely better than just hosting a Bitwarden server locally, for instance?

 
Since he specified it's a local server, I imagine he means 'no open ports to the outside'.
The server can be at risk just by compromising any other device in the same network. It can be even a smart bulb. What is worse, zip protected by passwords are okay to send things, but they are really dumb securing mechanism for a password manager. The moment you need to access it, you write the content to your disk in plain text. He thinks he is being smart, but he is not.
 
The server can be at risk just by compromising any other device in the same network. It can be even a smart bulb. What is worse, zip protected by passwords are okay to send things, but they are really dumb securing mechanism for a password manager. The moment you need to access it, you write the content to your disk in plain text. He thinks he is being smart, but he is not.

Yes, I'm well aware of all of that. I was not commenting on the wisdom or lack thereof of his method.

All of your points are valid. The only way a zip protected file can be more secure than Bitwarden is if it's airgapped. Period. I understand people's fears of "keeping their passwords in the cloud" - but it's a fear born of ignorance.

Security, for the average person, must be a balance between utility and facility. There's simply no way around it. 99.5% (number pulled out of my arse) of people have no clue about password protected zip files, the mechanism by which the file is unzipped, networking, airgapping, or anything else. They do know that passwords are inconvenient and annoying. When they go to facebook, it's great to be able to use the same password "Sp1d3rM4N!!" everywhere, bank account, investment brokerage, gmail, etc. - they won't forget the password and boy is it secure!

Bitwarden, or even a lesser password manager, is reasonably easy to use. There is still a LOT of improvement needed in making it and others accessible to the less competent. The increase in security is massive however. This 'flaw', as the researchers admit, is of little consequence - in the bigger scheme of general security for the average person.

I'm a retired linux systems administrator. I know my way around security, having dealt with it in excruciating detail at the assortment of startups I worked for over 26 years, until the pandemic. If you know what curve25519-sha256 is, I'm pleased to meet you.

A password-protected zip file containing all your passwords has no particular advantage over Bitwarden.
 
A password protected file behind a firewall, eh? You do realize your stuff would be safer in a password manager, right? You might as well keep it on a post-it on your front lawn, for all the security you have. Also, phrases are very easily guessed, they have lists for those. Randomized passwords of sufficient length are essentially uncrackable, even by quantum computer estimates, ya know....cause physics.
Tell me that again when your password manager is revealed to have a vulnerability.

And I don't think you are getting it. Password security is entirely dependent on length. Make an easily remembered phrase of the same length as the random character passwords that you think are so secure, and the phrase that you can easily remember will have the same level of crackability, because physics, as the randomized password that you cannot remember which was generated by your password manager.

The only thing a password manager is doing is making you think that you need a password manager and whatever you paid/are paying for it is worth the price.

In fact, I have a 55-character password phrase that I easily remember for one particular site. I bet if you generate a 55-character password with your password manager, you'll never remember it and it only makes you dependent on your password manager.
 
The server can be at risk just by compromising any other device in the same network. It can be even a smart bulb. What is worse, zip protected by passwords are okay to send things, but they are really dumb securing mechanism for a password manager. The moment you need to access it, you write the content to your disk in plain text. He thinks he is being smart, but he is not.
I wouldn't touch an IoT device if you paid me to buy it and use it. The absolute last thing on any IoT device manufacturer's mind is security.
 
Why are you showing off about your messy “password manager”? How do you check your passwords? You first have to unzip your “password manager”. Even if you do it on the fly, there is an unzip process to a temporary folder, so that means that the only way to check your “secured” passwords is decompress and write to disk your plain text passwords. Even if you remove it, they are easily recoverable unless you use some “shred” tool.

So you are exposing all your passwords every time you need to access, update, create or remove one of them. And you come here, bragging as a security expert? Okay, whatever.

How is that remotely better than just hosting a Bitwarden server locally, for instance?
You think I'm showing it off? And I am aware of the "issues" you speak of. So, I should look into my firewall logs to see if you are trying to breech it? I really don't think you understand network security or firewalls.

And as I mentioned to the other poster above, come back to me and tell me more when your password manager is revealed to have vulnerabilities.
 
Tell me that again when your password manager is revealed to have a vulnerability.

And I don't think you are getting it. Password security is entirely dependent on length. Make an easily remembered phrase of the same length as the random character passwords that you think are so secure, and the phrase that you can easily remember will have the same level of crackability, because physics, as the randomized password that you cannot remember which was generated by your password manager.

The only thing a password manager is doing is making you think that you need a password manager and whatever you paid/are paying for it is worth the price.

In fact, I have a 55-character password phrase that I easily remember for one particular site. I bet if you generate a 55-character password with your password manager, you'll never remember it and it only makes you dependent on your password manager.

"Password security is entirely dependent on length"

Welp, you just did it. You've shown overtly that you have no understanding of security.

But hey, you do you.
 
Back