![]() Upon contacting Bitwarden, Flashpoint revealed, to its surprise, that the company knew about the issue as far back as November 2018.īitwarden published a security assessment report in which the issue, named BWN-01-001 by the password manager, was detailed. ![]() “If a user with a Bitwarden browser extension visits a specially crafted page hosted in these Web services, an attacker is able to steal the credentials stored for the respective domain.” “In our research, we confirmed that a couple of major websites provide this exact environment,” said Flashpoint. The second is if an attacker hosts a Web page under a subdomain. The first is if an uncompromised website embeds an external iframe, which an attacker controls, and enables the ‘Auto-fill on page load’ option. However, it also found that default URI matching, which is how a browser extension knows when to auto-fill logins, combined with unsecured auto-fill behaviour, can lead to two possible attack vectors. “This means that an attacker does not necessarily need to compromise the website itself – they just need to be in control of the iframe content,” they explained.ĭespite this, Flashpoint found that there weren’t many websites that embedded an iframe on the login page, which lowers the risk. The researchers explained that they are aware of regular, uncompromised, websites that use embedded external iframes for a number of reasons, including advertising. “While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction,” stated Flashpoint. ![]() Various different types of content can be stored in an iframe, including simple interfaces with text fields to input login credentials. They allow web pages to include content from external sources. ![]() Inline frames – ‘iframes’ – are a common component of webpages and part of the HTML markup language. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |