Lots of people have, from comments I've seen on social media, already switched to Bitwarden following the recent LastPass breach disclosures. We will continue to look at options and the user experience for these situations." Should you switch from Bitwarden to another password manager? "As popular websites continue to use iframes such as and ," they concluded, "Bitwarden has allowed for user choice. "As you state, this feature is not enabled by default, and the vector is limited, and Bitwarden has placed warnings for users," the Bitwarden spokesperson says. However, if it isn't enabled, and it is disabled by default, remember, "a bit of social-engineering is required, e.g., using a CTRL-Shift shortcut on that page," Krewitt told me, concluding "due to these requirements, we don’t deem this as a critical issue, but very important for users to know as this could lead to issues at scale." MORE FROM FORBES Microsoft Outlook Warning: Critical New Email Exploit Triggers Automatically-Update Now By Davey Winder "This is the most concerning aspect," Krewitt says, "if the auto-fill on page load setting is enabled, the attack works when a user visits a specially crafted webpage." Krewitt told me that the attack demonstrated to Bitwarden was for a certain environment and, by default, "this attack does not work for all websites." However, Flashpoint was able to confirm that several very large hosting providers currently have the same environment, and the same requirements are met. Other password managers may choose a different path." How big a real-world risk is this to your average Bitwarden user? "We did not conduct a thorough comparison of available password managers," Krewitt says, "but after the Bitwarden discovery, we wanted to do a quick check whether other popular extensions behave in the same way." Krewitt says that Flashpoint was able to "confirm 1Password and the password manager in Chrome do not autofill external iframes," and "Dashlane shows a warning if you attempt to do so."Ī Bitwarden spokesperson told me that "Bitwarden supports this as an optional feature as some popular websites use this approach, such as and. I contacted Sven Krewitt, a senior vulnerability researcher at Flashpoint, for some clarification. Secondly, the report claims that this security flaw, or feature, "appears to be unique to Bitwarden's product." This is based upon a "brief evaluation of other password manager extensions." So, what's the problem here, exactly? MORE FROM FORBES New Samsung 0-Click Security Threat Alert, Disable Wi-Fi Calling Now By Davey Winder Delving deeper into the Flashpoint password pilfering researchįirstly, say the researchers, there's the problem of someone "hosting arbitrary content under a subdomain of their official domain." Because of the way the Bitwarden browser extension determines how auto-fill is completed, defaulting (if enabled) to a base domain, a second-level domain could potentially steal credentials. A good example of this would be the iCloud website which uses a login iframe from when signing in.įlashpoint does concede that "the number of cases found matching this particular setup was quite low, reducing the potential risk." What's more, Bitwarden not only has this auto-fill option disabled by default but also has a warning in the documentation that enabling it means a compromised site could take advantage to steal credentials. extension FlashpointĪn iframe is simply a method of embedding a page (or document if you prefer) within another HTML page, an inline frame. Here's what Bitwarden users need to know in light of a new report into one specific credential theft attack vector.įlashpoint research highlights potential credential theft risk when using Bitwarden browser. We've already seen examples of this erosion of trust in the case of LastPass recently, and now one of the other big password manager brands stands accused of not doing enough to prevent password theft. Which is why trust in these applications is so important and why that trust can get dented when responses to security researcher concerns appear less than reassuring. This is why, and I return to my opening gambit, password managers are seen by so many, including myself and the Straight Talking Cyber team at Forbes, as essential. With password reuse rife, and given the number of passwords we have it's hardly surprising, that unique, random, and complex passwords are key. Those who would wish to steal your money or data, be they your average cybercriminal or a state-sponsored team of hackers, look to credential compromise as a first port of call. Password managers are rightly seen by many security professionals as an essential part of your account takeover mitigation toolkit.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |