![]() This makes it much harder to exploit, but not impossible - some hosting services allow users to register sub-domains. if the login information is for “ ”, Bitwarden will also automatically fill in the details on “ ”, but it wouldn’t fill them in for “ ”. The “saving grace” for Bitwarden is that it will only fill in the iFrame information, if it belongs to a sub-domain of the original TLD. But during the investigation, Flashpoint found out that a malicious form on a sub-domained iFrame could capture the credentials. There are sites that are designed this way, although they are, thankfully, relatively rare. Flashpoint discovered that if there is an iFrame from a bad actor embedded into the website with the same username and password fields, Bitwarden will automatically fill in the username and password both on the main form and in the iFrame’s form. The problem seems to be that autofill automatically fills in username and passwords on known sites, if enabled. The problem is, if someone slips an iFrame into a site that is trusted, they can hijack the autofill data.Īlthough the auto-fill feature is disabled on Bitwarden by default, and the conditions to exploit it aren’t abundant, Flashpoint says there are still websites that meet the requirements where motivated threat actors can attempt to exploit these flaws. Bleeping Computer is reporting on a weakness in BitWarden that could allow it to be fooled by iFrames in trusted websites hijacking usernames and passwords, if autofill is enabled.Īllegedly, Bitwarden has known about the issue since 2018 (it is also mentioned in their documentation), but has deemed it too useful for legitimate websites that do use iFrames to disable it.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |