Is BitWarden vulnerable to autospill

Ask the Community Password Manager
,
1

Is BitWarden vulnerable to autospill?

Android apps often use WebView controls to render web content, such as login pages within the app, instead of redirecting the users to the main browser. Does BitWarden for Android do this?

Does BitWarden for Android use Android’s WebView framework to automatically type in a user’s account credentials when an app loads the login page?

6 Likes
2

Hi @TambourineMan! Welcome to the Bitwarden community!
Bitwarden was not a part of this research and has not been notified by the researchers that it affects Bitwarden. The team is currently investigating the details and will address it if needed.
As always, users should avoid malicious apps by sticking to known app stores and trusted sources.

4 Likes
3

@go12 whether or not a technical change to Bitwarden Android is required, some statement in the near future from Bitwarden saying we’re good would be very much appreciated.

1 Like
4

Good news, there’s now a 30 minute blackhat demo of this vuln.
Quite scary demo honestly. I always assumed 3rd party login (oauth) on webview is safe on any app. Its definitely not with Bitwarden on Android.
https://www.youtube.com/watch?v=t-6YYdbjO7g
Please watch it, I’m convinced after watching you’ll agree it must be fixed ASAP.
(Also interesting: https://github.com/PhilippC/keepass2android/issues/2478)
Thank you

5

Hello! Any update on this? I would like to know if Bitwarden is vulnerable to the mentioned attack. Thank you.

6

Welcome @JF_Gagnon, @sam3 to the community!

The best things you can do to defend against this risk are to:

  1. Disable “Auto-fill on page load”. It is ok to use the auto-fill menu or control-shift-L; you just don’t want to give away any of your passwords without your permission.
  2. Only install applications which you need, that have a good reputation, and are widely deployed.
  3. Be suspicious if an app is asking for a credential that makes little sense. For example, does the latest candy crush really need to login to your email account?

Autospill appears to only be exploitable by an app using an embedded web browser to prompt for credentials. So, not a problem when using Chrome; just a problem when using installed apps. This does presume one trusts Chrome; if not the problem is much larger than simple credential theft – and time to find a browser you do trust.

The black hat slides state “Android and PM developers must work together to fix AutoSpill”. In other words, Android probably needs to build a new autofill library and the password managers need to switch to it instead of the incumbent. Not something that is going to happen overnight and not something Bitwarden can do alone.

1 Like