Bitwarden’s Iframe Flaw Explained

The purpose of password managers is to safeguard our login credentials and online accounts. However, a popular password manager recently made headlines for its major security flaw. Bitwarden is under scrutiny because its autofill feature gives hackers easy access to sensitive information. The company has known about the vulnerability for years but left the issue unaddressed.

If your company uses Bitwarden, here’s everything you need to know about the issue. That way, you can take the necessary steps to secure your login credentials and other private data.

Why Is Bitwarden’s Iframe Flaw Dangerous?

Cyber security firm Flashpoint recently discovered something unusual about Bitwarden. The password manager’s browser extension auto-fills all forms, including those within an iframe.

Why is that dangerous? Inline frames, or iframes, host third-party content on a parent page. They are usually for advertisements, interactive content, and embedded videos. Unfortunately, hackers can also use them to steal sensitive information. They can place a login form in the iframe, wait for inputs, and send the data to a remote router.

That is why Bitwarden’s auto-fill feature for iframes is problematic. It is essentially serving login credentials to hackers on a silver platter. The good news is that Flashpoint hasn’t found many websites that place iframes on their login page.

Why the Vulnerability Issue Remains

After discovering the security flaw, Flashpoint notified Bitwarden. In response, Bitwarden sent a Security Assessment Report dated Nov. 8, 2018. That meant the company was aware of the problem. The document describes the iframe issue and why the company decided not to fix it.

These are the reasons for not addressing it:

Users should be able to log in to all websites, even those with embedded iframes.
If there’s a malicious iframe embedded on a site, it’s safe to assume that data has already been compromised even without Bitwarden’s inputs.

Bitwarden doesn’t autofill login credentials without users’ consent. Users can always turn the feature off.

To encourage Bitwarden to tighten its security, Flashpoint explained various attack vectors that hackers could use to steal information. Bitwarden has decided to retain its iframe functionality but agreed to exclude the hosting environments the cyber security firm discussed. To prevent exploitation, Bitwarden users can disable the “auto-fill on page” feature.

Business owners must exercise due diligence in choosing security tools and platforms. You may not realize that the services that promise to protect data can be the first entry point for hackers. Lack of research and foresight can ruin your brand’s reputation, cost you millions and break your customers’ trust.