Bitwarden has a flaw, but maybe it's not as bad as it seems

Bitwarden has a flaw, but maybe it's not as bad as it seems

Bitwarden has a flaw

According to a report by Flashpoint , Bitwarden, undoubtedly one of the best free password managers , has some security problems related to the credential autofill feature and iframes. According to analysts, the company would have discovered the potential problem for the first time in 2018, but would have left it as it is so as not to create problems on all those sites that use iframes in a legitimate way.

Before telling you better the news, we specify that  the function is disabled by default, so unless you have not activated it manually, you run no risk. Secondly, exploits of this type are rare, but there are still sites where malicious people try to exploit them.

When you visit a website, the Bitwarden extension checks if there is any login data and, if the autocomplete function is enabled, it fills the fields automatically on page load. The problem arises from the fact that the extension automatically fills in the fields present in the iframes embedded in the site, even if they have an external domain.

According to what the researchers discovered, autofill also works in subdomains: this means that an attacker could steal the login data to a domain by exploiting a subdomain and a phishing page.

“Even if the embedded iframes do not have access to any content of the original page, they can wait for input from login fields and forward the credentials to a remote server without any user interaction”, explains Flashpoint . “Some providers allow hosting of arbitrary content in a subdomain of their official domain, where the login page is also present” continues the company. “For example, if a company has its login page at and allows a user to host something at .company.tld, that user could steal their login credentials using Bitwarden.”

Also in this case, the seriousness of the matter is greatly reduced if one considers that it is not always possible to register a subdomain of a legitimate domain. The operation is possible, for example, in the case of free hosting services, so it is always better to be careful.

Bitwarden is aware of the problem and clearly warns users of the risks in its documentation. In light of this latest report, the company will block autocomplete for hosting environments flagged in an update, but does not appear to be intending to change the iframe-related functionality.

“Bitwarden accepts autocomplete for iframe as many popular sites use this model, such as and So there are perfectly valid use cases where the login forms are in an iframe with a different domain; the autocomplete functionality described [by the report] is not enabled by default in Bitwarden and there is a warning warning of the risks both in the software and in the documentation”. Bitwarden told colleagues at BleepingComputer .