Vulnerabilities in Bitwarden password manager browser extension can reveal passwords

Sicherheit (Pexels, allgemeine Nutzung)[German]Users of the Bitwarden password manager run into the risk of the auto-fill feature leaking credentials when visiting websites. Malicious websites could steal credentials via an IFRAME embedded in trusted pages and send them to an attacker.


Advertising

Bitwarden is a freemium open-source password management service that stores confidential information such as website credentials in an encrypted vault. However, there is now a heated debate about this service's browser plugins and their security against password theft.

FlashPoint on Bitwarden password security

The issue was covered by security researchers from the security provider FlashPoint, who published the article Bitwarden: The Curious (Use-)Case of Password Pilfering. Within the blog post they point out a problem with the open source Bitwarden password manager. I have picked out the following tweet from the countless reports of the last few hours as an initial source.

FlashPoint about Bitwarden pw security

The Bitwarden AutoFill Problem

FlashPoint security researchers took a closer look at the behavior of Bitwarden (password manager browser extension) and came across a potential problem. Embedded iframes in a web page are handled by Bitwarden in an atypical way. With iframes, you can embed the content of a third-party website (e.g. credit card data) in a web page – this is well known.

The browser should separate the context of this embedded iframe foreign page from the parent page. This can be controlled via the same-origin policy. If this is active, the iframe-embedded page is isolated from the parent page and cannot access its content (see the following figure).


Advertising

Same-Origin-Policy
Same-Origin Policy Behavior, Source: FlashPoint

The policy is considered an important security concept and is implemented in all major browsers. This prevents embedded web pages from retrieving critical information from a parent page.

The Bitwarden browser extension can offer users to enter stored credentials for a known web page for an auto-fill login. If the Bitwarden option "Auto-fill on page load" is enabled, this auto-fill happens without user interaction.

The problem: The Bitwarden browser extension also uses the auto-fill feature on pages where third-party content from other domains is embedded via iframe. The web page embedded via iframe does not have access to the content of the parent page. But the page can wait for input into the login form and forward the entered credentials to a remote server without further user interaction, the security researchers write.

The Bitwarden documentation does include a warning that "compromised or untrusted websites" could exploit this to steal credentials. The security researchers state that there is little an extension can do to prevent credential stealing if the website itself is compromised.

However, there are regular (non-compromised) websites that embed external iframes for various reasons, such as advertising. This means that an attacker does not necessarily need to compromise the website itself – they just need to have control over the content of the iframe. A few prominent websites were then randomly checked to determine if an iframe was embedded on the login page. Only a few applicable cases were found, which reduces the potential risk.

Another subdomain vulnerability

While creating a proof-of-concept to exploit the vulnerability, security researchers came across another vulnerability CVE-2023-27974 in the Bitwarden extension. This one is in the behavior regarding the default URI matching – a setting that determines how the browser extension should offer auto-filling of logins.

By default, the setting is set to "base domain". This means that the Bitwarden extension provides auto-fill functionality on any page where the base domain, i.e. the top-level and second-level domains, match. However, this is a problem when subdomains are used.

For example, if a company operates a login page at logins.company.tld, and there is another page <customer-name>.company.tld, those users can steal credentials from the bitwarden extensions. In their blog post, the security researchers describe several scenarios in which attackers gain access to stored credentials for websites..

When the researchers confronted Bitwarden with the findings, a surprising response came. The provider seems to have been aware of this problem for many years. In its response, Bitwarden referred the security researchers to the Security Assessment Report (PDF, see also this Bitwarden page) dated November 8, 2018, which describes the vulnerability in terms of iframes handling (BWN-01-001). This means that this vulnerability has been considered documented and publicly known for over four years!

Due to the unsatisfactory response, Flashpoint created and provided Bitwarden with two examples demonstrating how the vulnerability can be used to steal credentials. Bitwarden's response provided a use case for why iframes need to be handled this way. It would have to be the use case mentioned to Bleeping Computer: "Bitwarden accepts iframe auto-population because many popular websites use this model, e.g. icloud.com uses an iframe from apple.com."

However, Bitwarden plans to exclude the reported hosting environment from the auto-fill functionality, according to FlashPoint. What will not be corrected, however, is the general iframe functionality. A brief search by FlashPoint researchers of similar service providers showed that they do not use auto-fill and may display a warning if there is a risk of data being leaked via iframes. The problem currently appears to exist only with the Bitwarden product.

FlashPoint security researchers recommend that Bitwarden users disable the Auto-Fill on page load feature and set the Default URI Match Detection setting to Host or Exact. This will reduce exploitation of the vulnerability via subdomains at hosting providers. It should be noted that credential disclosure is not prevented when a web application embeds potentially attacker-controlled iframes in a login page.


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *