This is not sufficient for an attack.
For example, me.blogspot.com and notme.blogspot.com are both hosted on the blogspot.com domain, and presumably belong to different users. However, here, the Sign-In link opens the blogger.com site, and a second Sign-In link there opens a login page on accounts.google.com. Thus, the relevant Bitwarden login item would be the one that contains the google.com URI, and these credentials will not autofill on either me.blogspot.com or notme.blogspot.com.
Very specific conditions would have to be met for an attack as described by Flashpoint to be possible:
-
The service would have to allow different users to control different subdomains on a shared domain (this one is easy — e.g., blogspot.com).
-
The login page for the service would have to be hosted under each user’s subdomain (e.g., mysubdomain.example.com/login).
-
The login pages for the service would have to incorporate one or more iframes.
-
The user would need to have privileges to specify the source of the iframe contents that are rendered on their login page. Alternatively, if the iframe source is not user-specifiable, Flashpoint would have to demonstrate that they were able to compromise the third-party host that is serving the iframe contents, and that they inserted credential-phishing code into the source HTML hosted by that content provider.
-
In addition, for the scenario proposed by Flashpoint to be plausible, one has to assume that the user does not have privileges to modify any of the other HTML source code or scripts running on the login page (because if the user can arbitrarily modify the login page code, then they do not need to bother with the iframe “vulnerability” — there would be other, more robust methods to phish a user’s credentials).
The information provided in the report is not sufficient to determine whether the above conditions are met for the “prominent hosting environment” that was used in Flashpoint’s claimed PoC, and certainly not whether the conditions are met for “similar service providers” that Flashpoint claims to have “briefly research[ed]”.
P.S. I would be happy to read the details about your personal situation, and provide my perspective (if you wish to have it) — just not on this feature request thread.