Google-discovered vulnerability in Bitwarden

Are Bitwarden aware of, and doing anything to address, the High vulnerabilities that Google have discovered in Bitwarden?

Is there a date when this issue will be fixed.

Thank you

Hi, maybe I’m missing something, but I did a test of what was reported in the first link: bitwarden did not autofill either the 4th or the 5th link, even with autofill enabled on page loading

The article from The Daily Swig says:

Both Dashlane and Bitwarden have updated their software…

So I assume it is fixed.

In the linked Google security research, they notate Bitwarden has a fix bitwarden/clients#3860 which has already been merged.

Direct from the article

Both Dashlane and Bitwarden have updated their software although Dashlane, at least, remains unconvinced that the bug represents any kind of security threat.

Hence why in testing this is no longer an issue, thanks for bringing this up though :slightly_smiling_face:

1 Like

Readers of this thread may be interested in my PSA about theft of credentials by auto-fill, including the references linked therein (and especially the linked vulnerability demo).


Spoiler Alert: As demonstrated by the ability of Steve Englehardt’s demo site to “sniff” your login credentials, cross-site scripting can still be used to steal credentials that are auto-filled into invisible forms. The patched security vulnerability only prevents auto-filling from occurring when forms are located on pages that have a CSP sandbox response header or that are located inside sandboxed iframes.

If anybody with the requisite technical expertise (e.g., @mgibson) would be willing to provide a technical explanation of what difference this recent patch makes in the context of the more general XSS vulnerability (which apparently still exists), I would be much obliged.