![]() ![]() “So there are perfectly valid use cases where login forms are in an iframe under a different domain.” “Bitwarden accepts iframe auto-filling because many popular websites use this model, for example uses an iframe from ,” a spokesperson said. Flashpoint researchers said that this means the issue has been documented and public for more than four years. Upon contacting Bitwarden, Flashpoint revealed, to its surprise, that the company knew about the issue as far back as November 2018.īitwarden published a Security Assessment Report in which the issue, named BWN-01-001 by the password manager, was detailed. ![]() “If a user with a Bitwarden browser extension visits a specially crafted page hosted in these web services, an attacker is able to steal the credentials stored for the respective domain.” “In our research, we confirmed that a couple of major websites provide this exact environment,” said Flashpoint. The second is if an attacker hosts a web page under a subdomain. The first is if an uncompromised website embeds an external iframe, which an attacker controls, and enables the ‘Auto-fill on page load’ option. However, it also found that default URI matching, which is how a browser extension knows when to auto-fill logins, combined with unsecured auto-fill behaviour, can lead to two possible attack vectors. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |