Password managers have long offered autofill, which is the ability for the service or app to automatically fill out login forms with your user ID and password on saved websites. But the feature carries risks, and for popular Bitwarden servicethe danger is high enough to avoid autofill altogether.
Generally, security experts recommend turning off the more proactive version of autofill, where credentials are automatically filled into saved sites. If a website is compromised, a malicious actor can capture your login information before you can visually confirm that the page looks normal.
But how security company Flashpoint.io detailed in a blog post last week, Bitwarden autofill has a deeper vulnerability than other services. On websites that use iframes, where one page loads HTML elements from a different web page, login forms hosted on an external website still populate with the saved site’s user ID and password information. If any of these external HTML elements are compromised (such as advertising, a known exploit vector), the result could be login data theft.
This permissiveness is not accidental, but design: in the company documentation on the matter, which was published in late 2018, Bitwarden says its goal is to encourage better adaptation to a password manager. The company gives the example of iCloud as a major website that still uses iframes to connect to apple.com for login.
This vulnerability exists whether Bitwarden pre-fills login forms or manually enables auto-fill; Flashpoint tests have shown that using autofill carries the same risk. Bitwarden also doesn’t warn users when they fill out a form hosted on a different page or site, and even offers a free switch to a website’s subdomains. Meanwhile, other password managers seem like more secure options, as they stay stricter with their autofill policies. When spot checking Flashpoint’s rivals, they autofilled only for the site saved in the vault entry, or at least displayed a warning if an iframe inserted an external form.
As a password manager user, you can take two main steps to protect yourself from this type of vulnerability. (And no, the answer is never to use a password manager.)
Leave preemptive autofill turned off. Good services and apps have this disabled by default, leave it that way for better security. Use a service or app that doesn’t autofill forms hosted on external sites or, at the very least, will warn you that you’re about to.
If you decide to stick with Bitwarden, which is an otherwise reliable service and our favorite free password manager, you should also omit preemptive autofill. But you should also take this precaution:
Only use manually enabled autofill on sites you can reasonably trust. For example, Apple should have the resources to protect against compromised HTML elements. (If they fail to protect users from this type of exploit, everyone is in much bigger trouble.)
Dominik Tomaszewski / Foundry
Unfortunately, Bitwarden users don’t seem to be able to get around this autofill issue when copying and pasting login information from the password manager into a form. If an externally hosted module is compromised, it is compromised. So no matter how you enter your login details, you won’t know if it’s an internally or externally hosted form, and that’s the problem.
the best password manager ever
Price at time of review: $33 Best Prices Today:
As for hacked official websites, nothing can protect against such situation yet. That’s why random passwords for every single site, service, and app are so important — they keep the damage limited to that one place. And like it or not, the best way to keep track of dozens (if not hundreds) of credentials is with a password manager. Choose (and use) one judiciously and you should avoid most problems.
Leave a Comment