Bitwarden mobile autofill5/15/2023 (And no, the answer isn’t to never use a password manager.) During Flashpoint’s spot check of rivals, they only autofilled for the site saved in the vault entry, or at least flashed a warning if an iframe pulled in an external form.Īs a password manager user, you can take two major steps to protect yourself from this kind of vulnerability. Meanwhile, other password managers look like safer options, as they remain stricter with their autofill policies. Bitwarden also doesn’t warn users when they’re filling out a form hosted on a different page or site, and gives a free pass to subdomains of a website, too. This vulnerability exists whether you have Bitwarden preemptively fill out login forms or you manually trigger autofill Flashpoint’s testing showed that either usage of autofill carries the same risk. ICloud’s login page uses iframes to enable login through -and Bitwarden cites this as one reason for its lax policy on autofill. The company gives the example of iCloud as a major website that still uses iframes to connect to for login. This permissiveness isn’t by accident, but design: In the company’s documentation about the issue, which was published in late 2018, Bitwarden states that its goal is to encourage better adaption to a password manager. If any of those external HTML elements become compromised (like advertising, a known vector for exploits), the result could be stolen login data. On websites that use iframes-where a page loads HTML elements from a different webpage-login forms hosted on an external website are still filled in with the saved site’s user ID and password info. If a website is compromised, a malicious actor can capture your login info before you visually confirm the page looks normal.īut as security firm Flashpoint.io detailed in a blog post last week, Bitwarden’s autofill has a deeper vulnerability than other services. Generally, security experts advise turning off the most proactive version of autofill, where your credentials automatically get filled in on saved sites. But the feature carries risk, and for popular service Bitwarden, the danger is high enough that you should avoid autofill all together. Password managers have long offered autofill-the ability for the service or app to automatically fill in login forms with your user ID and password on saved websites.
0 Comments
Leave a Reply. |