The Flashpoint Vulnerability Research team observed that Bitwarden, a well-known password manager browser extension, treated embedded iframes on web pages in an unusual way.
Insecure behavior in Bitwarden’s credentials autofill feature makes it possible for malicious iframes embedded on reliable websites to take advantage of users’ credentials and pass them to an attacker.
The <iframe> HTML element defines a nested browsing environment, embedding another HTML page into the current one, according to the Mozilla HTML documentation.
Bitwarden first became aware of the issue in 2018 but decided to support it in order to support legitimate websites that employ iframes.
Auto-Fill Behavior in Bitwarden
The Bitwarden extension can offer to fill in the appropriate login fields when it recognizes that a user is on a website for which they have saved credentials.
If the “Auto-fill on page load” option is selected, it will complete itself without requiring user input.
Curiously, even though they are from distinct domains, the extensions also automatically auto-fill forms that are defined in an embedded iframe.
“While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction”, says Flashpoint.
Flashpoint looked at how frequently iframes are included on login pages of high-traffic websites and found that the risk was significantly reduced by the small number of risky scenarios.
Indeed, Flashpoint also found a second problem while looking into the iframes issue: Bitwarden would also automatically fill login information on subdomains of the base domain matching a login.
If autofill is enabled, an attacker who hosts a phishing page under a subdomain that corresponds to a login stored for a specific base domain will be able to obtain the credentials from the victim as soon as they arrive at the page.
“If you have encountered your fair share of web solutions and content providers, it becomes clear that this poses a problem. Some content hosting providers allow hosting arbitrary content under a subdomain of their official domain, which also serves their login page”, Flashpoint explains.
“As an example, should a company have a login page at https://logins.company.tld and allow users to serve content under https://<clientname>.company.tld, these users are able to steal credentials from the Bitwarden extensions.”
Potential Attack Methods
- An unhacked website with the “Auto-fill on page load” option turned on embeds an external iframe that is in the hands of an attacker.
- Using a subdomain of, say, a hosting company, which has its login form under the same base domain, an attacker installs a specially crafted web page.
Hence, an attacker is possible to steal the credentials kept for each domain if a user using a Bitwarden browser extension visits a specially crafted page housed in these web services.
As previously noted, no additional user input is needed if the option to “Auto-fill on page load” is activated. Also, when a user logs in via the context menu, forms that are embedded in iframes also get filled.
Bitwarden expressly mentions the possibility of compromised sites utilizing the autofill feature to steal credentials in its documentation and emphasizes that the feature is a potential danger.
However because users must log in to services using embedded iframes from external sites, Bitwarden’s engineers chose to maintain the behavior and put a warning on the software’s documentation and the extension’s pertinent settings menu.
In response, Bitwarden stated that they would not change the functionality of iframes but would promise to block autofill on the reported hosting environment in a future release.
Network Security Checklist – Download Free E-Book