What are your thoughts on the following article from PCWorld, should we all turn off autofill?
This article has been reviewed and discussed on Reddit:
The bottom line is that the article is highly misleading, and that — contrary to PCWorld’s recommendation — you should not disable autofill (because doing so would open you up to a greater number of more serious vulnerabilities than the one theoretical issue that is the basis for this — to be frank — piece of click-bait).
There are a few things that you can do to make your use of auto-fill more secure, such as refraining from enabling the optional “auto-fill on page load” feature, and making sure that your URI Match Detection methods are set to something more restrictive than Base Domain.
It is not just PCWorld, this message is all over the internet and I don’t doubt the claims are well grounded.
The basis appears to be some work done by FlashPoint https://flashpoint.io/blog/bitwarden-password-pilfering/
It looks founded and not clickbait. There is a problem here.
I think we need to be carefull using autofill, maybe why it is off by default.
I enabled auto-fill but I use selectively via (ctrl/cmd+shift+L). I ask myself do I trust this site, does it show ads on it’s login page, do I care about leaking that login (i.e. I don’t care about leaking login to a read only forum).
Let me explain why this is clickbait.
But first, let me clarify some terminology. “Auto-fill” is a process of directly transferring credentials from the browser extension into a web form without using the system clipboard (i.e., by copy & paste). Auto-fill can be either automatic (in Bitwarden, this is called “auto-fill on page load”), or on-demand (in Bitwarden, on-demand auto-fill can be triggered using the Ctrl+Shift+L shortcut, or by clicking a login item shown in the Tab view of the browser extension, or by going through the right-click context menu).
The PCWorld article linked by OP opens by recommending that Bitwarden users should avoid auto-fill altogether (i.e., both on-demand and automatic auto-fill — which the article author refers to as “preemptive” auto-fill, for some reason). This is unequivocally bad advice, because it opens up users to phishing attacks, as well as leaks/theft of credentials via the system clipboard (the contents of which can be read by any process on your device). There is a lot of other misinformation in the PCWorld article, as explained in the Reddit discussion that I had linked above. Particularly egregious is the fact that PCWorld is using this article to promote Dashlane as their “best” “editor’s choice”, when Dashlane has automatic autofill enabled by default, which Bitwarden does not (although the article never admits this, and even falsely implies that the opposite is true). This article is so poorly written, that it is not worth anybody’s while to pay attention to it.
Turning our attention to real issues, yes, it is true that there are some risks inherent in the use of auto-fill, especially automatic auto-filling. However, these risks are not unique to Bitwarden, and they are not exactly breaking news — they have been known for decades. The most insidious vulnerability is the ability to harvest auto-filled credentials from invisible form fields. The most likely vector of such an attack is script injection by XSS. Another, less likely approach that could have the same results is the use of iframes with a third-party source. All of this is well-known (and in fact, Bitwarden patched an iframe-related vulnerability last year), but the recent Flashpoint report claims credit for re-discovering the iframe mechanism. And now, all sorts of disreputable publishers are seizing on this report as a way of driving click-traffic and promoting competitor products (that all suffer from the same underlying vulnerabilities, whether or not they have implemented a band-aid solution for the iframe-mediated vector).
For a discussion of auto-fill issues away from the tabloid drama, I refer readers to this post of mine from some time ago:
I don’t think the FlashPoint article should be dismissed as just clickbait.
Their article seems a level headed analysis of BitWardens approach to handling iframes, including a discussion with BitWarden, and then draws a conclusion.
The message is BitWarden has a problem with iframes.
Here is the article https://flashpoint.io/blog/bitwarden-password-pilfering/
I don’t have any personal experience of FlashPoint but I know they are being taken seriously by people who would know if their work should be dismissed as clickbait.
I think it is a good thing is to raise user awareness.
@DoctorB — I am dismissing the PC World hatchet piece as clickbait, out of hand. I’m not sure if you stopped reading after the first sentence of my response, and assumed I was referring to FlashPoint.
As for the FlashPoint.io report, I tried to summarize its shortcomings in my response above. It is a rehashing of an old vulnerability, so it doesn’t need to be written up as if it were some newly discovered exploit. Furthermore, the iframe issue is an infrequently encountered variant of a larger class of vulnerabilities — i.e, invisible forms injected by third-party scripts (typically websites use iframes only as a fallback within a
<noscript> block for browsers that can’t run scripts). Note that the script-based variant of this type of attack has actually been observed in the wild, on approximately 0.1% of the top million websites. The same can’t be said about the iframe “vulnerability” being touted by Flashpoint. Flashpoint claims to have created a working exploit, but a paid subscription is required to access this demonstration, so there is evidently a profit motive behind the publication of their report.
thanks for this discussion @DoctorB and @grb there are additions to iframe autofilling to address all concerns in the release next week. as has been noted, cases of a malicious iframe on a trusted login page are extremely rare
Hi Gary O (@go12)
Mr Google tells me that FlashPoint are retained by Fortune 500 companies for security advice and they are flagging BitWarden as a product with security concerns so I think it fatuous to dismiss the issues they raise as clickbait.
What about this problem they highlight
“BitWarden will auto-fill iframes from different origins without showing any warnings for iframes from different origins”
They say this is a problem that is unique to BitWarden?
hi @DoctorB see comment above for release coming next week. snapshot: users will have warnings, and they will also have the option to utilize URI match detection for the many cases where this workflow is intended and safe
@go12 I’m frustrated by all the attention given to the iframe (non-)issue because it takes focus away from the underlying cause of the larger vulnerability. And by implementing a band-aid for the iframe case (like some other password managers have apparently done), we accomplish very little except being able to respond to FlashPoint’s criticism.
I think that it would be better to spend some effort on the main issue — the challenge of invisible form fields (which can be used legitimately or for harm, complicating the problem).
I have proposed some potential strategies in other threads on the forum, which I will summarize below:
Implement an option to disable auto-filling of invisible form fields. This should be optional, because some invisible forms are legitimate — however, security-conscious users would likely be willing to pay the price of breaking a few auto-fill scenarios for the benefit of avoiding credential theft. There is a technical challenge in determining whether forms are visible or not (e.g., Marek Toth has demonstrated a clever method of hiding the form by setting
opacity:0.2). Nonetheless, it may be worthwhile trying to detect the most obvious methods for hiding input forms (e.g.,
The browser extension should count the number of available input fields that will be autofilled using the password field. If more than one such field is found on the current page, present the user with a warning before auto-filling. This will alert the user that there may be a hidden form on the login page, but it will have the side-effect of creating an extra confirmation step when using auto-fill to complete account registration and password change forms. The unwanted side-effect could be avoided by allowing the user to mark specific URIs as login forms (where only a single password field is expected), so that the warning is presented only when multiple password fields are detected on a form that has been designated as a login form.
Since auto-fill vulnerabilities can be greatly amplified by using Base Domain for URI match detection while also having “auto-fill on page load” enabled, it should be harder for the user to set up this dangerous combination of preferences. Specifically, n the Autofill Settings, it should not be possible to enable “Autofill on page load” (i.e., this option should be “grayed out” and inactive) unless the “Default match detection” option has been set to something other than Base Domain . Of course, there should be some accompanying explanatory text (e.g.,
To enable auto-fill on page load, the default match detection option cannot be set to "Base Domain"). If Base Domain matching is still required to get auto-fill to work the way the user wants, then they would still have the option to choose this setting by customizing individual URIs; thus, this proposal does would not break any existing functionality, but it will enhance the security of users who do not pay attention to the consequences of their choices.
I think it’s fatuous to dismiss a detailed explanation after reading only its first sentence.
@grb thanks for this thoughtful breakdown. there are near term and longer term options and Bitwarden wanted to address the immediate perceived concerns since it was beginning to cause far too much misunderstanding
I can certainly agree with this sentiment.
It’s kind of ironic/devious how the “security” publication industry makes us less safe by forcing developers to put out manufactured fires (fires that have been deliberately set for purposes of driving web traffic), thus taking time and attention away from real security issues.
I do hope that Bitwarden will consider some of my proposals for intermediate- to long-term approaches to improving auto-fill security.
Great discussion and thanks for all the input, my simple question turn into quite a rabbit hole!
Further proves there is no such thing as a simple question and that they don’t call them confuzers for nothing.
I got my detailed explanation from FlashPoint. FlashPoint are accreditted security experts.
and we learned there is going to be a release next week. Woooo Hoooo
I see no accreditations listed on their website, and I have plenty of accreditations on my own. Accredited or not, they still managed to write a poorly researched report that lead to a lot of misinformation being spread on the internet tabloids, caused unnecessary worry for Bitwarden users, created a distraction for Bitwarden developers (and ultimately made the codebase more difficult to maintain, due to the way that the hotfix was implemented).
A quick scan of their website shows Flashpoint supports
- each of the top 10 largest U.S.-based financial institutions;
- five of the top 10 largest global technology companies;
- three of the top five largest U.S. health insurance providers;
- seven retailers in the Fortune 100;
Named clients include Microsoft, Blackrock, Red Bull, Amtrak, AXA insurance
Not what I would call an “accreditation”, but yay Flashpoint
Yes it is a good discussion. grb - Thank you for your fact based replies including the section that begins, ". . . all the attention given to the iframe (non-)issue because it takes focus away from the underlying cause of the larger vulnerability. . . .I think that it would be better to spend some effort on the main issue — the challenge of invisible form fields (which can be used legitimately or for harm, complicating the problem).