Hackers might be able to crack this top password manager and steal your logins
One of the most popular free password managers has a major security flaw that allows hackers to steal your credentials in an identity theft attack.
The auto-complete feature in the Bitwarden open-source password manager is the source of the problem, allowing bad inline frames (iframes) located on trusted websites to capture your credentials.
Security analytics agency Flash point (opens in new tab) discovered the flaw, but claims that Bitwarden knew about it way back in 2018, but chose to ignore it and allow its use on popular websites with iframes.
Iframe hack
Iframes are HTML elements used to embed another web page into the current one. They are commonly used for advertising, web analytics, videos, and interactive content.
Flashpoint found that when using the autofill feature – which is disabled by default in Bitwarden – on a web page with an iframe, the credentials are automatically filled in on the parent page and then also on forms within the iframe page. And if this is a malicious iframe controlled by hackers, then they can steal your credentials. Even if the iframe is from a remote domain, this still happens.
While the embedded iframe cannot access any content on the parent page, it can wait for input in the login form and forward the entered credentials to a remote server without further user interaction.
However, Flashpoint found that the risk of such an attack was low, as many legitimate and popular websites do not contain iframes on their login pages.
A bigger concern, however, was that Bitwarden’s autocomplete feature would work even on subdomains of base domains for which you have a saved username and password.
These subdomains can be used in phishing scams where attackers create fake pages using subdomains of a legitimate website to steal your information. Flashpoint says this is possible because “some content hosting providers allow arbitrary content to be hosted under a subdomain of their official domain, which also serves their login page”.
Free hosting sites allow this kind of subdomains, but there are many legitimate domains that do not allow subdomain registration based on them. However, in this case, a subdomain can still be hijacked by a hacker.
Bitwarden does issue a warning when you enable the autofill feature, stating that “compromised or untrusted websites can take advantage of it to steal credentials”.
Despite the risk of iframe exploitation announced (opens in new tab) in November 2018, Bitwarden decided to keep the autocomplete feature on login pages with iframes, as many popular websites use them, “for example, icloud.com uses an iframe from apple.com,” Bitwarden told Beeping computer (opens in new tab).
However, when it comes to autofilling forms on subdomains, Bitwarden said it will release an update in the future to prevent autofill in hosting environments that allow it.