Password managers are rightly seen by many security professionals as an essential part of your account takeover mitigation toolkit. Those who would wish to steal your money or data, be they your average cybercriminal or a state-sponsored team of hackers, look to credential compromise as a first port of call. With password reuse rife, and given the number of passwords we have it’s hardly surprising, that unique, random, and complex passwords are key. This is why, and I return to my opening gambit, password managers are seen by so many, including myself and the Straight Talking Cyber team at Forbes, as essential. Which is why trust in these applications is so important and why that trust can get dented when responses to security researcher concerns appear less than reassuring. We’ve already seen examples of this erosion of trust in the case of LastPass recently, and now one of the other big password manager brands stands accused of not doing enough to prevent password theft. Here’s what Bitwarden users need to know in light of a new report into one specific credential theft attack vector.
What is putting Bitwarden in the password pilfering cross-hairs?
Newly published research from threat intelligence experts, Flashpoint, has suggested that Bitwarden falls short in one particular area: the auto-filling of credentials within embedded iframes. What the vulnerability researchers at Flashpoint found was that the Bitwarden browser extension could auto-fill the login credentials field if they were found to be saved within the Bitwarden password vault. So far, so absolutely normal.
After all, the auto-completion of login fields with your very long and very random password is one of the benefits of using a password manager. Most every password manager application will do this without the need for user interaction. This convenience factor sits side-by-side with security when it comes to the reasons most people make the decision to use a password manager in the first place.
However, the Flashpoint researchers found that, unlike some other password manager extensions they examined, and more of that shortly, Bitwarden would fill an embedded iframe (if the auto-fill on page load option was enabled) asking for login credentials “even if they are from different domains.”
Flashpoint research highlights potential credential theft risk when using Bitwarden browser … [+]
An iframe is simply a method of embedding a page (or document if you prefer) within another HTML page, an inline frame. A good example of this would be the iCloud website which uses a login iframe from apple.com when signing in.
Flashpoint does concede that “the number of cases found matching this particular setup was quite low, reducing the potential risk.” What’s more, Bitwarden not only has this auto-fill option disabled by default but also has a warning in the documentation that enabling it means a compromised site could take advantage to steal credentials. So, what’s the problem here, exactly?
Delving deeper into the Flashpoint password pilfering research
Firstly, say the researchers, there’s the problem of someone “hosting arbitrary content under a subdomain of their official domain.” Because of the way the Bitwarden browser extension determines how auto-fill is completed, defaulting (if enabled) to a base domain, a second-level domain could potentially steal credentials. Secondly, the report claims that this security flaw, or feature, “appears to be unique to Bitwarden’s product.” This is based upon a “brief evaluation of other password manager extensions.”
I contacted Sven Krewitt, a senior vulnerability researcher at Flashpoint, for some clarification. “We did not conduct a thorough comparison of available password managers,” Krewitt says, “but after the Bitwarden discovery, we wanted to do a quick check whether other popular extensions behave in the same way.” Krewitt says that Flashpoint was able to “confirm 1Password and the password manager in Chrome do not autofill external iframes,” and “Dashlane shows a warning if you attempt to do so.”
A Bitwarden spokesperson told me that “Bitwarden supports this as an optional feature as some popular websites use this approach, such as icloud.com and apple.com. Other password managers may choose a different path.”
How big a real-world risk is this to your average Bitwarden user?
Krewitt told me that the attack demonstrated to Bitwarden was for a certain environment and, by default, “this attack does not work for all websites.” However, Flashpoint was able to confirm that several very large hosting providers currently have the same environment, and the same requirements are met. “This is the most concerning aspect,” Krewitt says, “if the auto-fill on page load setting is enabled, the attack works when a user visits a specially crafted webpage.”
However, if it isn’t enabled, and it is disabled by default, remember, “a bit of social-engineering is required, e.g., using a CTRL-Shift shortcut on that page,” Krewitt told me, concluding “due to these requirements, we don’t deem this as a critical issue, but very important for users to know as this could lead to issues at scale.”
“As you state, this feature is not enabled by default, and the vector is limited, and Bitwarden has placed warnings for users,” the Bitwarden spokesperson says. “As popular websites continue to use iframes such as icloud.com and apple.com,” they concluded, “Bitwarden has allowed for user choice. We will continue to look at options and the user experience for these situations.”
Should you switch from Bitwarden to another password manager?
Lots of people have, from comments I’ve seen on social media, already switched to Bitwarden following the recent LastPass breach disclosures. Is the recommendation for them to switch again, to another password manager, in light of the Flashpoint research?
I’m inclined to say no, as long as they are aware of the minimal risk as it stands, should they enable the auto-fill feature.
“If you are using Bitwarden, the ‘auto-fill on page load’ option should be disabled and ‘Default URI match detection’ should be set to Host or Exact,” Krewitt says, as “this mitigates the attacks.” While giving a very resounding yes to my question of whether users should still use a password manager, Krewitt did confide that, personally, “I switched back to my old password manager.”
Stay connected with us on social media platform for instant update click here to join our Twitter, & Facebook
We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.
For all the latest Technology News Click Here
