Bitwarden flaw can let hackers steal passwords using iframes


Risky behaviour in Bitwarden’s credentials autofill feature could let malicious iframes placed on reliable websites capture users’ login information and transmit it to an attacker. Analysts at Flashpoint claimed Bitwarden initially became aware of the vulnerability in 2018 but decided to permit it in order to accommodate trustworthy websites that employ iframes.

Although Bitwarden’s auto-fill feature is deactivated by default and there aren’t many opportunities to exploit it, according to Flashpoint, there are still websites that fit the bill where motivated threat actors could try to take advantage of these loopholes.

Read More…