Hacker News new | past | comments | ask | show | jobs | submit login
Bitwarden flaw can let hackers steal passwords using iframes (bleepingcomputer.com)
35 points by ghostpepper on March 8, 2023 | hide | past | favorite | 10 comments



How do you think Bitwarden could have handled this better?

An allowlist of domains where iframe autofill is allowed, pre-populated with some vetted examples like apple/icloud mentioned in the article?

At what point do user options trump accessibility? I tell my parents to use Bitwarden because it's more secure than their alternative (plaintext in Google Doc) but they have no idea what an iframe is or how to spot one. If I taught them they'd never remember because it something so seldom used. Password managers are written for an audience much larger than us. Such an option as suggested would be useless to them.

Maybe Bitwarden made the right choice here?


Minor fail by bitwarden...

- odds of arbitrary malicious iframe being on login page seems vanishingly small, especially when a compromise of the login page is probably necessary before the iframe can be injected. How often can an iframe be injected but not arbitrary js?

- iframes having autofill should definitely be a sub option on such a feature.

Either way, also curious about other password managers and their behaviors here. TFA doesn't go into that, seems like a big omission.


> odds of arbitrary malicious iframe being on login page seems vanishingly small

It's pretty common to inject credit card skimmers into checkout pages - why would login pages be any different?


how are iframes being injected into a page in a way which wouldn't allow other, simpler, methods of harvesting credentials.

e.g. if I have access to inject an iframe, can't I just inject some javascript which will post the credentials to another server?

If I have access to inject an iframe, can't I just modify the server code to just post the credentials to me?


For example, the iframe is inserted by an ad network the site owners trust, and the ad network in turn assumes fencing off a third-party ad selection or bot detection or whatever script into an iframe is sufficient isolation and doesn’t look at it all that hard (or maybe is not even permitted to for legal reasons).

Having an ad on the login page is not universal, but neither is it uncommon, and some websites just have a login form on every page.


I suppose any password manager that allows browser extensions to handle these pages automatically, exhibits the same flaw.



Is anyone familiar with how the KeePassXC browser extension handles this?


The same way, you can set the extension to automatically fill in and confirm, so it has the same flaw. It is not the default setting afaik.


It's disabled by default, and it's made clear that enabling it is a security risk




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: