Generally, iframes are safe to use as long as the embedded material from the external website has not been compromised, and this is where managers have a problem. For example, TechSpot uses iframes to embed YouTube videos into its articles. ![]() Website developers use the inline frame element, or iframe, to embed part of another webpage into their site. A basic understanding of iframes is needed to understand this vulnerability. Security researchers at Flashpoint discovered that Bitwarden's autofill extension handles websites with embedded iframes in an unsafe manner. Unfortunately, its password filler might not be much better than your browser's. It also mentions it is a good idea because "experts generally agree that built-in password managers are more vulnerable than dedicated solutions like Bitwarden," which is generally true. In its support pages regarding "Auto-fill," Bitwarden advises users to turn off their browsers' password autofill functions because they interfere with its password management solution. So essentially, Bitwarden will implement process breaks and warnings like other password managers. Second, if the user tries to fill in an untrusted iframe using manual autofill, Bitwarden displays an alert to the URI/URL they are trying to autofill and allows them to either cancel or proceed. The company said it would make two specific changes.įirst, if a user enables the autofill on page load setting, Bitwarden will only fill in iframes from trusted domains, such as the same domain as the website or a specific URL the user has proactively added to their item. The company did not explain why it waited five years to address the issue but did say it merged the fix request on GitHub and that the patch would be ready next week. ![]() Update (March 17): A Bitwarden spokesperson contacted TechSpot to inform us that it is taking measures to mitigate the autofill vulnerability. Bitwarden is the sole exception, having determined in 2018 that the threat was not significant enough to address. It's a weakness for all password managers, and most have addressed the flaw in various ways, including issuing warnings when users are on a login page with an iframe or not trusting subdomains. PSA: Hackers can steal your username and password for a website using an embedded iframe.
0 Comments
Leave a Reply. |