Password managers have long offered autofill – the ability for the service or app to automatically fill in login forms with your user ID and password on saved websites. But the feature comes with risks, and for the popular Bitwarden service, the danger is high enough to prevent autocomplete altogether.
In general, security experts recommend turning off the more proactive version of autofill, where your credentials are autofilled on saved sites. If a website is compromised, a malicious actor can capture your login information before you can visually confirm that the page looks normal.
But as security firm Flashpoint.io detailed in a blog post last week, Bitwarden’s autofill has a deeper vulnerability than other services. On websites that use iframes, where one page loads HTML elements from a different web page, login forms hosted on an external website are still populated with the saved site user ID and password information. If any of these external HTML elements are compromised (such as advertising, a known vulnerability vector), the result could be stolen login data.
This permissiveness is not by accident, but by design: In company documentation on the issue, which was published in late 2018, Bitwarden claims that its goal is to encourage better adaptation to a password manager. The company gives the example of iCloud as a major website that still uses iframes to connect to apple.com for login.
This vulnerability exists whether Bitwarden preemptively fills out login forms or manually enables autocomplete; Flashpoint tests showed that using autocomplete carries the same risk. Bitwarden also does not warn users when they are filling out a form hosted on a different page or site, and also gives a free pass to a website’s subdomains. Meanwhile, other password managers seem like more secure options, as they continue to be stricter with their autofill policies. During Flashpoint’s rival spot check, they only auto-completed for the site saved at the vault entrance, or at least displayed a warning if an external form was pulled by an iframe.
As a password manager user, you can take two important steps to protect yourself from this type of vulnerability. (And no, the answer is never to use a password manager.)
- Leave preemptive autocomplete disabled. Good services and apps have this disabled by default; leave it like that for safety.
- Use a service or app that doesn’t auto-fill forms hosted on external sites, or at least warns you that it’s about to.
If you decide to stick with Bitwarden, which is a trusted service and our favorite free password manager, you should also skip the preventive autofill. But you should also take this precaution:
- Only use manually activated autocomplete on sites you can reasonably trust. For example, Apple should have the resources to protect against compromised HTML elements. (If they fail to protect users against this type of vulnerability, everyone will be in much bigger trouble.)
Dominik Tomaszewski / Foundry
Unfortunately, Bitwarden users can’t seem to get around this autofill issue by copying and pasting password manager login information into a form. If an externally hosted form is compromised, it’s compromised. So regardless of how you enter your login details, you won’t know if it’s an internally or externally hosted form, and that’s the problem.
As for the official websites that are compromised, still nothing can protect against that situation. That’s why random passwords for each and every site, service, and app are so important: they keep the damage limited to that one place. And like it or not, the best way to keep track of dozens (if not hundreds) of credentials is a password manager. Choose (and use) one judiciously, and you’ll avoid most problems.
