Is Bitwarden susceptible to XSS attacks?

Read this security research article about password managers (both those native to the browser and third-party addons) being susceptible to XSS/cross-site scripting attacks to harvest credentials.

Is Bitwarden susceptible to XSS attacks also? Should we not use auto-fill capability? (The article notes Bitwarden does not have autofill enabled by default, and BW gets props from the article author for that).
Being somewhat lazy I like autofill but often just copy and paste from Bitwarden to the form – not a big deal to do so.

Would appreciate feedback from the Bitwarden team.


1 Like

Hello and welcome @Brendon_LA,

Great post and wonderful question, thanks for sharing the article.
Just wanted to chime in and add some points I found.

I would highly suggest checking out, Bitwarden Security Whitepaper | Bitwarden Help & Support, and Compliance, Audits, and Certifications | Bitwarden Help & Support
Here Bitwarden specifies their web-vault is protected against XSS attacks via strong content security policy (CSP) set in place, as is best practice.
This was recently evaluated in the 2020 Bitwarden Network Security Assessment Report and covered under ISSUE-02 – Content Security Policy Allows “style-src unsafe-inline”

In the attack described here linked in the article this appears to be similar to BWN-01-006 which covers RCE and XSS, and possibly BWN-01-001 which covers auto-fill features in the browser extension regarding X-Frames to prevent click-jacking, which would be more common for cases where a webpage is being fed a malicious ad in their approved ad-spot.
These specific BWN-01-001 & BWN-01-006 findings can be located in the 2018 Bitwarden Security Assessment Report

However in the specific XSS attack showcased, as I understand it would seem as though this is being done through the “main” host page while the user data is being fed into the malicious actors’ secondary page unbeknownst to the end user. In this case I believe an attacker would have control over the main site or exploit some vulnerability in order to inject the javascript needed to perform this attack. It would be up to the site owner to maintain good CSP, and data sanitization for user input fields, etc. to prevent against any XSS attacks, though I believe for those common attacks one might see “in the wild” Bitwarden has done a fairly decent job to mitigate this where they can.

Worst case, if a site is vulnerable to such an attack then the malicious actor only has the credentials for one account. Depending on the website it may be important or not important, but at least having a PW manager helps to ensure you don’t reuse passwords. So the effects are limited in scope to only the service that was breached, and hopefully the service would notify their users.