Skip to main content

If you use this free password manager, your passwords might be at risk

Researchers have just found a flaw within Bitwarden, a popular password manager. If exploited, the bug could give hackers access to login credentials, compromising various accounts.

The flaw within Bitwarden was spotted by Flashpoint, a security analysis firm. While the issue hasn’t received much — or any — coverage in the past, it appears that Bitwarden was aware of it all along. Here’s how it works.

Office computer with login asking for password and username.
Image used with permission by copyright holder

The potential security risk lies within Bitwarden’s autofill on page load feature. It lets inline frames (iframes) access your login details, and if said iframes are compromised, then so are your credentials. An iframe is an HTML element that allows developers to embed a different webpage within the page you’re currently on. They’re often used for the purpose of embedding ads, videos, or web analytics.

Recommended Videos

According to Flashpoint, using Bitwarden with autofill enabled on a page that contains iframes could result in password theft. This is because autofill on page load automatically fills out your login and password both on the page you’re on and within the iframe — and that exposes you to certain risks.

Please enable Javascript to view this content

In its report, Flashpoint said: “While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction.”

There’s another way hackers could steal your passwords, though. Bitwarden’s autofill on page load also works on subdomains of the domain you’re trying to access, as long as the login matches. This means that if you stumble upon a phishing page, with a subdomain that matches the base domain you’ve saved your password for, Bitwarden might automatically provide it to the hacker.

“Some content hosting providers allow hosting arbitrary content under a subdomain of their official domain, which also serves their login page. As an example, should a company have a login page at https://logins.company.tld and allow users to serve content under https://<clientname>.company.tld, these users are able to steal credentials from the Bitwarden extensions,” Flashpoint explained.

A dark mystery hand typing on a laptop computer at night.
Andrew Brookes / Getty Images

This problem won’t crop up on legitimate, large websites, but free hosting services allow for such domains to be made. Still, both flaws have a pretty small chance of occurring, which is why Bitwarden hasn’t fixed the issue despite being aware of it. In order to keep working on websites that use iframes, Bitwarden has to leave this window of opportunity open for possible phishing and password theft.

It’s worth noting that autofill on page load is disabled in Bitwarden by default, and the tool does warn users about the possible risks when they turn the feature on. In response to the report, Bitwarden has said it’s planning an update that will block autofill on subdomains.

If you’re not using a tool like Bitwarden yet, make sure to check out our guide to the best password managers. Bitwarden is on that list, and despite this security flaw, it still deserves its place — but perhaps disabling autofill on page load might be a good idea for the time being.

Monica J. White
Monica is a computing writer at Digital Trends, focusing on PC hardware. Since joining the team in 2021, Monica has written…
If you want to buy an RTX 4090, now might be your last chance
Nvidia GeForce RTX 4090 GPU.

There's no disputing that the RTX 4090 is one of the best graphics cards you can buy, but now might be your last chance to buy it. According to members of the Board Channels forum (via VideoCardz), Nvidia has discontinued the graphics card and will stop fulfilling new orders this month.

We saw this coming. Last month, members of the Board Channels forums signaled that Nvidia was getting ready to discontinue the RTX 4090 to make way for next-gen RTX 50-series GPUs. Nvidia hasn't said it's discontinuing the card, and it likely won't, but some regions are already experiencing shortages and increased prices. The German outlet PC Games Hardware writes: "It is now becoming increasingly clear that the GeForce RTX 4090 ... will soon have reached its end of lifetime," following high prices and "increasingly poor availability" in the region.

Read more
Your Gmail app will soon help protect you from scams
Moto G 5G (2024) in Sage Green showing Gmail.

Email scams are nothing new. The old Nigerian prince con has been around long enough that it's become a meme, but more modern scams can be a lot harder to pick out. According to statistics, nearly 3.4 billion phishing emails are sent per day. Gmail will soon implement a feature on its mobile platform that puts a checkmark beside verified senders to help users tell what's legit — and what possibly isn't — at a glance.

The feature already exists on the Gmail desktop website, but with over half of all users accessing their Gmail accounts from a mobile app, it's a welcome addition. It utilizes a standard called Brand Indicators for Message Identification (BIMI) and a Verified Mark Certificate (VMC). If an email contains these marks, it's highly unlikely they come from a malicious source.

Read more
NordPass vs. Proton Pass: best free and low-cost password manager
A PC monitor shows NordPass and Proton Pass websites in a split-view.

NordPass and Proton Pass are two of the best password managers and both have surprisingly affordable plans, as well as good free versions.

I recently reviewed each and found both were excellent solutions. While there are many similarities, a few differences stand out and can help you decide which password manager is the right choice for you.
Tiers and pricing
NordPass and Proton Pass pricing tiers appear in a split-view. Digital Trends

Read more