Disclosed today, March 9, 2023
If the autofill feature is turned on (this feature if off by default) an attacker using a specially crafted web page with an iframe in the HTML code the credentials are automatically filled out in the parent web page.
Bitwarden was aware, but claimed the vulnerability was hard to exploit and many popular web sites ised iframes.
Now that the vulnerability is known Bitwarden users should be more aware and check the option autofill is disabled.
Bitwarden does issue a warning when you go to turn on its autofill feature, stating that "compromised or untrusted websites could take advantage of this to steal credentials."
No comments:
Post a Comment