Bitwarden Password Manager Vulnerability Allows for Credential Theft via Malicious iFrames

Security researchers at Flashpoint have identified a flaw in the autofill feature of Bitwarden, a popular open-source password management service. The vulnerability could allow malicious iframes embedded in trusted websites to steal users’ credentials and send them to an attacker. Bitwarden was first made aware of the problem in 2018 but chose to allow it to accommodate legitimate sites that use iframes. Although the autofill feature is disabled on Bitwarden by default, there are still websites that meet the requirements where motivated threat actors can attempt to exploit these flaws.

Flashpoint found that the extension also auto-fills forms defined in embedded iframes, even those from external domains. The embedded iframe does not have access to any content in the parent page, but it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction. Bitwarden will also auto-fill credentials on subdomains of the base domain matching a login, meaning an attacker hosting a phishing page under a subdomain that matches a stored login for a given base domain will capture the credentials upon the victim visiting the page if autofill is enabled.

While Flashpoint reported that the number of risky cases was very low, the possibility of an attack still exists. Some content hosting providers allow hosting arbitrary content under a subdomain of their official domain, which also serves their login page. This means that users are able to steal credentials from the Bitwarden extensions. Although registering a subdomain that matches the base domain of a legitimate website is not always possible, the attack is still possible through subdomain hijacking.