![]() The other is if an attacker hosts a web page under a subdomain. The first is if an attacker embeds an external iframe into an uncompromised website and enables the ‘Auto-fill on page load option’. In their original research, Flashpoint researchers found that the password manager was handling iframes embedded on a web page in an atypical manner.īitwarden would auto-fill forms in an embedded iframe even if they were from different domains (opens in new tab).īy combining the autofill behaviour with URI matching, which is when the browser extension knows when to auto-fill logins, the researchers said that could lead to two different attack methods. "We still recommend setting the 'Default URI match detection' to at least check the 'Host'.” "Please note that while the behavior of the 'URI match detection' setting is documented, the default setting still leaves an attack vector for environments where users can host content under certain sub-domains," said Krewitt. ![]() "The steps in the provided description of the fix should address the external iframe handling as the user is now in control of which iframes are filled by the extension (as opposed to filling all iframes by default). “I highly appreciate that the vendor decided to address this security issue," said Sven Krewitt, senior vulnerability researcher at Flashpoint. IT Pro has asked the company why it decided to release the fix now even though it has known about the issue since 2018. “This eliminates the iframe attack vector (opens in new tab) while still allowing convenient autofill functionality for sites that have trusted iframes,” a spokesperson from Bitwarden told IT Pro.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |