In its response, Bitwarden referred the security researchers to the Security Assessment Report (PDF, see also this Bitwarden page) dated November 8, 2018, which describes the vulnerability in terms of iframes handling (BWN-01-001). The provider seems to have been aware of this problem for many years. When the researchers confronted Bitwarden with the findings, a surprising response came. In their blog post, the security researchers describe several scenarios in which attackers gain access to stored credentials for websites. company.tld, those users can steal credentials from the bitwarden extensions. However, this is a problem when subdomains are used.įor example, if a company operates a login page at, and there is another page. the top-level and second-level domains, match. This means that the Bitwarden extension provides auto-fill functionality on any page where the base domain, i.e. This one is in the behavior regarding the default URI matching – a setting that determines how the browser extension should offer auto-filling of logins.īy default, the setting is set to "base domain". While creating a proof-of-concept to exploit the vulnerability, security researchers came across another vulnerability CVE-2023-27974 in the Bitwarden extension. Only a few applicable cases were found, which reduces the potential risk. A few prominent websites were then randomly checked to determine if an iframe was embedded on the login page. This means that an attacker does not necessarily need to compromise the website itself – they just need to have control over the content of the iframe. However, there are regular (non-compromised) websites that embed external iframes for various reasons, such as advertising. The security researchers state that there is little an extension can do to prevent credential stealing if the website itself is compromised. The Bitwarden documentation does include a warning that "compromised or untrusted websites" could exploit this to steal credentials. But the page can wait for input into the login form and forward the entered credentials to a remote server without further user interaction, the security researchers write. The web page embedded via iframe does not have access to the content of the parent page. The problem: The Bitwarden browser extension also uses the auto-fill feature on pages where third-party content from other domains is embedded via iframe. If the Bitwarden option "Auto-fill on page load" is enabled, this auto-fill happens without user interaction. The Bitwarden browser extension can offer users to enter stored credentials for a known web page for an auto-fill login. This prevents embedded web pages from retrieving critical information from a parent page. The policy is considered an important security concept and is implemented in all major browsers. Same-Origin Policy Behavior, Source: FlashPoint If this is active, the iframe-embedded page is isolated from the parent page and cannot access its content (see the following figure). This can be controlled via the same-origin policy. The browser should separate the context of this embedded iframe foreign page from the parent page. credit card data) in a web page – this is well known. With iframes, you can embed the content of a third-party website (e.g. Embedded iframes in a web page are handled by Bitwarden in an atypical way. I have picked out the following tweet from the countless reports of the last few hours as an initial source.įlashPoint security researchers took a closer look at the behavior of Bitwarden (password manager browser extension) and came across a potential problem. Within the blog post they point out a problem with the open source Bitwarden password manager. The issue was covered by security researchers from the security provider FlashPoint, who published the article Bitwarden: The Curious (Use-)Case of Password Pilfering. FlashPoint on Bitwarden password security However, there is now a heated debate about this service's browser plugins and their security against password theft. Bitwarden is a freemium open-source password management service that stores confidential information such as website credentials in an encrypted vault.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |