Skip to main content

If you use this free password manager, your passwords might be at risk

Researchers have just found a flaw within Bitwarden, a popular password manager. If exploited, the bug could give hackers access to login credentials, compromising various accounts.

The flaw within Bitwarden was spotted by Flashpoint, a security analysis firm. While the issue hasn’t received much — or any — coverage in the past, it appears that Bitwarden was aware of it all along. Here’s how it works.

Related Videos
Office computer with login asking for password and username.

The potential security risk lies within Bitwarden’s autofill on page load feature. It lets inline frames (iframes) access your login details, and if said iframes are compromised, then so are your credentials. An iframe is an HTML element that allows developers to embed a different webpage within the page you’re currently on. They’re often used for the purpose of embedding ads, videos, or web analytics.

According to Flashpoint, using Bitwarden with autofill enabled on a page that contains iframes could result in password theft. This is because autofill on page load automatically fills out your login and password both on the page you’re on and within the iframe — and that exposes you to certain risks.

In its report, Flashpoint said: “While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction.”

There’s another way hackers could steal your passwords, though. Bitwarden’s autofill on page load also works on subdomains of the domain you’re trying to access, as long as the login matches. This means that if you stumble upon a phishing page, with a subdomain that matches the base domain you’ve saved your password for, Bitwarden might automatically provide it to the hacker.

“Some content hosting providers allow hosting arbitrary content under a subdomain of their official domain, which also serves their login page. As an example, should a company have a login page at https://logins.company.tld and allow users to serve content under https://<clientname>.company.tld, these users are able to steal credentials from the Bitwarden extensions,” Flashpoint explained.

A dark mystery hand typing on a laptop computer at night.
Andrew Brookes/Getty Images

This problem won’t crop up on legitimate, large websites, but free hosting services allow for such domains to be made. Still, both flaws have a pretty small chance of occurring, which is why Bitwarden hasn’t fixed the issue despite being aware of it. In order to keep working on websites that use iframes, Bitwarden has to leave this window of opportunity open for possible phishing and password theft.

It’s worth noting that autofill on page load is disabled in Bitwarden by default, and the tool does warn users about the possible risks when they turn the feature on. In response to the report, Bitwarden has said it’s planning an update that will block autofill on subdomains.

If you’re not using a tool like Bitwarden yet, make sure to check out our guide to the best password managers. Bitwarden is on that list, and despite this security flaw, it still deserves its place — but perhaps disabling autofill on page load might be a good idea for the time being.

Editors' Recommendations

Here’s how much faster Nvidia’s RTX 4090 is at cracking passwords
Nvidia GeForce RTX 4090 GPU.

You really shouldn’t be trying to manage your own passwords when high-performance graphics cards featuring GPUs as powerful as Nvidia’s GeForce RTX 4090 could be in use by hackers. The password-cracking speed of Nvidia’s best GPU has been highlighted before but the latest revelation points out the performance compared to other graphics cards.
Security analyst and researcher Sam Croley goes by Chick3nman on Twitter where he shares information related to password security. The latest tests show the RTX 4090’s Hashcat performance is roughly eight times greater than eight GTX 1080s. Compared to Nvidia’s best GPU from the previous generation, the RTX 4090 is nearly twice as fast as the RTX 3090. The tweet was the first spotted by Tom’s Hardware.

Replying to a question in the same Twitter thread, Croley said Nvidia’s GeForce RTX 4090 GPU is more than three times faster than an AMD Radeon RX 6900 when using the hash speed benchmark Hashcat. Croley noted that the relative performance of AMD’s Radeon RX 7000 series is still unknown.

Read more
Are Windows 11 security features killing your gaming performance? You might be surprised
A gaming laptop with the ReSpec brand over it.

Microsoft resurrected a controversial topic in the PC gaming community recently: Windows 11's security features. Days after Windows 11 launched, there was an outcry among PC gamers due to a security feature that is enabled by default in Windows 11. In particular, Virtualization Based Security or VBS.

PCGamer cried foul after it noticed a 28% drop in Shadow of the Tomb Raider, but Windows 11, at the time, was experiencing gaming performance drops of 15% or more in some cases, so the results didn't sound out of order.

Read more
Passwords are hard and people are lazy, new report shows
Mac privacy tips: 1Password

Despite ongoing efforts by security researchers and internet titans to push us to use stronger passwords and two-factor authentication to secure online accounts, people are lazy and continue to make serious mistakes that jeopardize their privacy and security, a new report shows.

A new survey that delves into password selection shows an alarmingly high number of people reuse passwords across multiple accounts. If you are doing this, you should be aware that it only takes one security breach to put all of your accounts at risk. Hackers know that this is a common practice and will try the same stolen passwords at every popular online service in hopes of gaining easy access.

Read more