CyberInsights
The blog about your IT security

Bitwarden Vulnerability 2023

Affected products

Bitwarden

Criticality of the vulnerability(ies)

medium

Impact

Open Source Bitwarden <= 2023.2.1

Description

Password managers are basically a useful way to securely protect your credentials. The idea behind a password manager is that it securely stores the credentials for many of your accounts and requires the user to remember only one password (or the password manager is configured to be unlocked via biometric authentication).

A vulnerability was recently discovered in the password manager Bitwarden due to atypical processing of embedded iFrames in a web page.

The default URI matching is the setting that defines how the browser extension determines whether to offer credentials for auto-filling. This is done by comparing parts of the URI, the current page, with web page entries in stored items in the extension’s vault. By default, it is set to “base domain”, which means that the extension will provide auto-fill functionality on any page where the base domain, i.e. the top-level and second-level domains, match.

Attack: A remote, anonymous attacker can exploit multiple vulnerabilities in Bitwarden to obtain credentials.

Notes:

  • It was found in various tests that the auto-fill function also fills forms in iframes that belong to entirely different domains.
  • This auto-fill feature requires no further user interaction if the “Auto-fill on page load” option is enabled.
  • Confirmed that when the user fills out a login form from the context menu, forms embedded in iframes are also filled out.

CVEs

CVE-2018-25081, CVE-2023-27974

Mitigation or measure to avoid respectively possible recommendations for action

The manufacturer currently does not offer a patch to fix the vulnerability.

Bitwarden has commented on this vulnerability and stated that iframes must be handled this way for compatibility reasons. However, it has been confirmed that reported websites will be excluded from the auto-fill function, which only removes an attack vector, but not the cause of the attack.

Therefore, affected users are advised to permanently disable the Auto-fill on page load feature. Alternatively, the default URI matching setting for autofilling with credentials can be changed to Host or Exact.

References and links

[1] https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0605
[2] https://flashpoint.io/blog/bitwarden-password-pilfering/
[3] https://github.com/bitwarden/clients/releases
[4] https://news.ycombinator.com/item?id=35075861


Follow us on

Subscribe to our newsletter on the topic of cyber security

With our Cyberletter you are always up to date - about vulnerability reports, current IT threat scenarios and other relevant news from the field of cyber security and data security.

With the registration I accept the handling of my personal data (§13 GDPR) and agree to the privacy policy.