Skip to main content

If you use this free password manager, your passwords might be at risk

Researchers have just found a flaw within Bitwarden, a popular password manager. If exploited, the bug could give hackers access to login credentials, compromising various accounts.

The flaw within Bitwarden was spotted by Flashpoint, a security analysis firm. While the issue hasn’t received much — or any — coverage in the past, it appears that Bitwarden was aware of it all along. Here’s how it works.

Office computer with login asking for password and username.
Image used with permission by copyright holder

The potential security risk lies within Bitwarden’s autofill on page load feature. It lets inline frames (iframes) access your login details, and if said iframes are compromised, then so are your credentials. An iframe is an HTML element that allows developers to embed a different webpage within the page you’re currently on. They’re often used for the purpose of embedding ads, videos, or web analytics.

Recommended Videos

According to Flashpoint, using Bitwarden with autofill enabled on a page that contains iframes could result in password theft. This is because autofill on page load automatically fills out your login and password both on the page you’re on and within the iframe — and that exposes you to certain risks.

In its report, Flashpoint said: “While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction.”

There’s another way hackers could steal your passwords, though. Bitwarden’s autofill on page load also works on subdomains of the domain you’re trying to access, as long as the login matches. This means that if you stumble upon a phishing page, with a subdomain that matches the base domain you’ve saved your password for, Bitwarden might automatically provide it to the hacker.

“Some content hosting providers allow hosting arbitrary content under a subdomain of their official domain, which also serves their login page. As an example, should a company have a login page at https://logins.company.tld and allow users to serve content under https://<clientname>.company.tld, these users are able to steal credentials from the Bitwarden extensions,” Flashpoint explained.

A dark mystery hand typing on a laptop computer at night.
Andrew Brookes / Getty Images

This problem won’t crop up on legitimate, large websites, but free hosting services allow for such domains to be made. Still, both flaws have a pretty small chance of occurring, which is why Bitwarden hasn’t fixed the issue despite being aware of it. In order to keep working on websites that use iframes, Bitwarden has to leave this window of opportunity open for possible phishing and password theft.

It’s worth noting that autofill on page load is disabled in Bitwarden by default, and the tool does warn users about the possible risks when they turn the feature on. In response to the report, Bitwarden has said it’s planning an update that will block autofill on subdomains.

If you’re not using a tool like Bitwarden yet, make sure to check out our guide to the best password managers. Bitwarden is on that list, and despite this security flaw, it still deserves its place — but perhaps disabling autofill on page load might be a good idea for the time being.

Monica J. White
Monica is a computing writer at Digital Trends, focusing on PC hardware. Since joining the team in 2021, Monica has written…
Three best ways to sync Apple passwords to a Windows PC
A happy Mac logo and Passwords icon hover over the Windows desktop.

If you use an iPhone, iPad, or Mac, you know how frustrating it can be to try signing into one of your favorite online accounts on a Windows PC only to realize you don’t have that login. If you’re like me, you switch devices throughout the day. When logins don’t sync, that means looking up and typing long complicated passwords, which is time-consuming and error-prone.

You might expect passkeys to help, but there are still problems. Many websites support passkeys but not all, and the lack of universal support and compatibility issues prevent passkeys from fully replacing passwords in 2025.

Read more
Your Xfinity internet might have just doubled in speed — for free
Comcast

If you're an Xfinity customer, your Internet speeds might have just gotten as much as two times faster. Today, Comcast announced an internet upgrade for over 20 million customers that could increase speeds anywhere from 50 to 100 percent.  In addition, anyone who subscribes to a 400Mbps or faster plan can get a year of Unlimited Xfinity Mobile for free. Depending on what your monthly phone bill is, that could result in tremendous savings.

That's one heck of a deal, especially when it comes at no added cost. Comcast says these speed boosts are possible because of its fiber network and more than $80 billion spent in research over the last decade. Either way, customers benefit. With upgraded speeds, Xfinity customers can download files a lot more quickly than before and upload everything from work documents to TikTok videos in a blink.

Read more
You can now live your developer dream with Google’s free Gemini Code Assist access
Google gemini code assist graphic.

Google has made a free version of its Gemini Code Assist tool available worldwide starting February 25. The generative AI model, previously aimed at businesses, is powered by Gemini 2.0 and integrates with IDEs like Visual Studio Code.

This means you can access Code Assist's features directly from the environment you're working in. It will auto-complete code as you're typing it, and you can also work through problems in the chat or generate code snippets.

Read more