In either case, the default implementation of Bitwarden could then auto-fill malicious web elements with credentials, presenting a security risk. The other is if an attacker hosts a web page under a subdomain. The first is if an attacker embeds an external iframe into an uncompromised website and enables the ‘Auto-fill on page load option’. In their original research, Flashpoint researchers found that the password manager was handling iframes embedded on a web page in an atypical manner.īitwarden would auto-fill forms in an embedded iframe even if they were from different domains.īy combining the autofill behaviour with URI matching, which is when the browser extension knows when to auto-fill logins, the researchers said that could lead to two different attack methods. "We still recommend setting the 'Default URI match detection' to at least check the 'Host'.” "Please note that while the behavior of the 'URI match detection' setting is documented, the default setting still leaves an attack vector for environments where users can host content under certain sub-domains," said Krewitt. "The steps in the provided description of the fix should address the external iframe handling as the user is now in control of which iframes are filled by the extension (as opposed to filling all iframes by default). “I highly appreciate that the vendor decided to address this security issue," said Sven Krewitt, senior vulnerability researcher at Flashpoint. IT Pro has asked the company why it decided to release the fix now even though it has known about the issue since 2018. “This eliminates the iframe attack vector while still allowing convenient autofill functionality for sites that have trusted iframes,” a spokesperson from Bitwarden told IT Pro. If a user fills in an untrusted iframe when using manual autofill, the password manager will flag an alert into the URI or URL to let the user decide whether to cancel or proceed with the operation. These trusted domains include the same domain as a website or a URL the user has designated as safe.īitwarden said that autofill on page load remains 'off' by default. The password manager will only fill in iframes from trusted domains if a user enables autofill on page load. Bitwarden confirmed today that the fix is expected to be pushed to users next week.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |