Read this security research article about password managers (both those native to the browser and third-party addons) being susceptible to XSS/cross-site scripting attacks to harvest credentials.
Is Bitwarden susceptible to XSS attacks also? Should we not use auto-fill capability? (The article notes Bitwarden does not have autofill enabled by default, and BW gets props from the article author for that).
Being somewhat lazy I like autofill but often just copy and paste from Bitwarden to the form – not a big deal to do so.
Would appreciate feedback from the Bitwarden team.
In the attack described here linked in the article this appears to be similar to BWN-01-006 which covers RCE and XSS, and possibly BWN-01-001 which covers auto-fill features in the browser extension regarding X-Frames to prevent click-jacking, which would be more common for cases where a webpage is being fed a malicious ad in their approved ad-spot.
These specific BWN-01-001 & BWN-01-006 findings can be located in the 2018 Bitwarden Security Assessment Report
However in the specific XSS attack showcased, as I understand it would seem as though this is being done through the “main” host page while the user data is being fed into the malicious actors’ secondary page unbeknownst to the end user. In this case I believe an attacker would have control over the main site or exploit some vulnerability in order to inject the javascript needed to perform this attack. It would be up to the site owner to maintain good CSP, and data sanitization for user input fields, etc. to prevent against any XSS attacks, though I believe for those common attacks one might see “in the wild” Bitwarden has done a fairly decent job to mitigate this where they can.
Worst case, if a site is vulnerable to such an attack then the malicious actor only has the credentials for one account. Depending on the website it may be important or not important, but at least having a PW manager helps to ensure you don’t reuse passwords. So the effects are limited in scope to only the service that was breached, and hopefully the service would notify their users.