I read in a Flashpoint article, as well as listened to YouTube commentators and read the PC World article, about the iframe issue in Bitwarden. I have a question about auto-filling credentials into malicious iframes. Does this issue exist only when the Auto Fill on Page Load is selected? If the Auto Fill on Page Load is not selected and you simply click on the username field, then click on the credentials suggested in the Bitwarden pop-up to Auto Fill, then if there was a malicious iframe present, your UN/PW would only Auto Fill the UN/PW fields that you have selected and not Auto Fill the malicious iframe fields?
I have read other posts on this topic in the Bitwarden community forum, but I am not sure if this specific question is answered. At least I didn’t find it. Thanks for any help from some one much more experienced and knowledgeable than myself.
You’ve happened to come across some 2-year old FUD/internet drama — which is an eternity in comparison to the pace of development at Bitwarden. The iframe kerfuffle was never a serious security threat, but regardless, Bitwarden made some code changes to mitigate user panic incited by clickbait articles and other irresponsible commentators. Since March, 2023, Bitwarden users now get a warning as shown in the thread linked below:
Thanks grb for taking the time for your thoughtful response. Just to help me understand, the original issue could only occur if the Auto Fill on Page Load was enabled? and then only websites with malicious iframes?
My slow mind needs to break the purported issue down to its simplest form.
The other question that comes up is how would reputable websites allow malicious iframe be present on their website?
Thanks again for any thoughts you or others have on this.
No, but your exposure (to this hypothetical attack vector, and to similar, more plausible attacks that do not involve iframes) would be increased if you enable “Autofill on page load” — unless you carefully tailored your URI match detection.
Well, if by “the original issue”, you mean the iframe panic — then yes, an iframe (and a malicious one, to boot) is a necessary ingredient.
However, as I tried to explain in the linked comment from 2023, the iframe “issue” is just one example of a broader class of attack strategies, which rely on harvesting autofilled credentials using hidden login fields (or in the case of the iframe method, login fields that are visible, but that are associated with a server different from the one shown in your browser’s address bar).
So an iframe is not required, and hidden-form attacks are likely much more common than iframe-based attacks.
They wouldn’t, but they could be victim to a supply-chain attack. For example, if the “reputable” website includes advertisements or trackers on their web pages, then those are typically in the form of scripts that load code from a 3rd party (i.e., the advertisement broker or the tracking service) and allow those 3rd-party scripts to inject contents into the webpage served by the “reputable” site. This could be done by displaying the external content in an iframe, but it would be much more common to allow the 3rd-party scripts to directly modify the HTML code that determines the webpage contents and functions. All of this is very common. The risk is that one of the 3rd-party services is hacked, and that the advertising/tracking scripts used by the clients of those services are replaced by malicious scripts, which could then inject invisible login forms (or malicious iframes) into the webpages that you browse on the “reputable” site.
It seems that a reputable security conscious company would carefully monitor their website to make sure that a supply-chain attach has not occurred and that no hidden login fields are associated with their site?
Is there a best practice login procedure and Bitwarden browser extension settings that will avoid these issues? I do not mind inconvenience if it provides higher security.
The risk cannot be avoided 100% (unless you are willing to inspect the source code of every login form before autofilling your credentials). However, the following steps will mitigate the risks considerably:
Control where Bitwarden autofills your credentials: Do this by setting up URI match detection rules (edit the login item, and click the icon next to the URL). The most conservative option is “Exact”, in which case the stored URL string must exactly match the URL of the website’s login form. In some cases, the last part of the URL for the login form will change every time that you open the form; in those cases, set the URI match detection method to “Starts With”, and delete the part of the URL that is not constant (usually some long random strings that appear after a ? or & character). In extreme cases, you may need to use the “Regular expression” option, but that should be avoided if possible.
Control when Bitwarden autofills your credentials: Do this by disabling “Autofill on page load”. Then, trigger autofilling manually (using a keyboard shortcut, inline menus, right-click context menus, etc.).
I have always had “Autofill on page load” disabled.
I tried modifying five different site log-ins the way you described with mixed results. First log-in1st URI match “Exact”, this didn’t work, so I tried “Starts With” and deleted part of the URL that came after ?, this didn’t work. So I went back to the Default (Base Domain), which worked. Three other ones worked with “Exact” and the fifth one worked using the “Starts With” setting and deleting the url after the ?
The issues you mentioned, supply-chain attack - 3rd-party services hack etc, are these threats to other password managers such as Proton Pass, 1Password, NordPass etc? Does Bitwarden analyze a website and detect these potential threats?
If you don’t mind sharing what the URL was, I can see if I am able to set up the URI matching to be something safer than “base domain”.
Yes, these threats can hypothetically affect any password manager that does autofilling of any sort.
Bitwarden does implement some defenses that attempt to detect if a form field is visible to the user or not (and does not autofill invisible fields) — however, because there are many, many ways to hide web page content, it is not possible for such defense measures to be 100% effective. Other password managers presumably implement similar defenses, but I don’t think anybody has done any head-to-head comparison to see which password managers are better at preventing autofilling of invisible forms.
Thanks for the willingness to look at the URL, but I was able to get it to work by going back to the site that I have bookmarked, copying and pasting that URL into its vault settings, specify “Exact” match under Auto-Fill options. I am not sure what I did wrong on my first try.
Since Bitwarden offers a copy option, would it be less risky to copy and paste on a site in case it has a hidden malicious form field or a 3rd-party services hack?
When using the Bitwarden Auto-Fill, does Bitwarden automatically copy and paste in the credentials or is it able to use the computer’s on screen keyboard to type in the credentials?
I don’t know off the top of my head what method Bitwarden’s autofill uses, but it does not place any information on your system clipboard. For this reason, it is much safer to use than copy & paste (because the clipboard is very vulnerable to other types of attacks).
If you don’t want to (or can’t) use autofill, then the next best option is to use drag-and-drop. You need to open the vault item details, then place the mouse pointer over the “Password” label of the password field. When the mouse pointer changes to a “move” icon (four arrows arranged in a compass shape), then click and drag the password from the browser extension into the password input field on the login form (release the mouse button when the cursor is above the password input field). This method is not as convenient as autofilling, but it avoids placing your credentials on the system clipboard.
If you use click-and-drag, then you don’t get the benefits of URI match detection, which can protect your from phishing scams — and from malicious iframes (to bring the discussion full circle).
Thanks for the update. I tried it out and it works smoothly. If you chose to do the “drag and fill”, then the URI match detection would be up to the user knowing they are on the correct log-in page, one they have bookmarked and regularly use. If you “drag and fill” into the UN/PW fields on this page, then would this protect you from malicious iframes capturing the UN/PW?
Yes, although you could still leverage the browser extension’s URI match detection feature. When you open the browser extension window, the login item will be made available under “Autofill Suggestions” at the top of the “Vault” view, if and only if there is a URI match. Thus, if you only use the drag-and-fill method with items opened from the “Autofill Suggestions” area, you should be safe from phishing.
To make viewing the item details (for drag-and-fill purposes) easier, make sure that you have disabled the option “Click items in autofill suggestions to fill” under Settings > Appearance > Vault Customization.
Ironically, drag-and-fill cannot protect you against malicious iframes (because you would be manually dragging the password into the input field inside the iframe — thus bypassing the iframe blocking algorithm that Bitwarden uses when autofilling). However, you would be protected against invisible form fields (which, IMO, are a more credible threat than malicious iframes).
icon next to the URL). The most conservative option is “Exact”, in which case the stored URL string must exactly match the URL of the website’s login form. In some cases, the last part of the URL for the login form will change every time that you open the form; in those cases, set the URI match detection method to “Starts With”, and delete the part of the URL that is not constant (usually some long random strings that appear after a