Criticality of the vulnerability(ies)
Open Source Bitwarden <= 2023.2.1
Password managers are basically a useful way to securely protect your credentials. The idea behind a password manager is that it securely stores the credentials for many of your accounts and requires the user to remember only one password (or the password manager is configured to be unlocked via biometric authentication).
A vulnerability was recently discovered in the password manager Bitwarden due to atypical processing of embedded iFrames in a web page.
The default URI matching is the setting that defines how the browser extension determines whether to offer credentials for auto-filling. This is done by comparing parts of the URI, the current page, with web page entries in stored items in the extension’s vault. By default, it is set to “base domain”, which means that the extension will provide auto-fill functionality on any page where the base domain, i.e. the top-level and second-level domains, match.
Attack: A remote, anonymous attacker can exploit multiple vulnerabilities in Bitwarden to obtain credentials.
- It was found in various tests that the auto-fill function also fills forms in iframes that belong to entirely different domains.
- This auto-fill feature requires no further user interaction if the “Auto-fill on page load” option is enabled.
- Confirmed that when the user fills out a login form from the context menu, forms embedded in iframes are also filled out.
Mitigation or measure to avoid respectively possible recommendations for action
The manufacturer currently does not offer a patch to fix the vulnerability.
Bitwarden has commented on this vulnerability and stated that iframes must be handled this way for compatibility reasons. However, it has been confirmed that reported websites will be excluded from the auto-fill function, which only removes an attack vector, but not the cause of the attack.
Therefore, affected users are advised to permanently disable the Auto-fill on page load feature. Alternatively, the default URI matching setting for autofilling with credentials can be changed to Host or Exact.
References and links