Close Menu
    Media Outreach Newswire
    Application

    Why You Should Be Careful With Your Password Manager’s “AutoFill” Feature

    Jack NguyenBy No Comments3 Mins Read


    The autofill feature offered by password managers automatically fills in login forms with the username and password that the user has registered on a particular website. Although convenient, most security experts recommend disabling the autofill feature altogether. If your website has been the subject of a cyberattack, malicious actors can capture your login information before you know it. In particular, Bitwarden users are advised not to use autofill.

    © Towfiqu barbhuiya/Unsplash

    latest cyber security Breaking pointAccording to , Bitwarden’s autofill functionality was found to be particularly weak compared to other services. The Flashpoint vulnerability research team discovered that Bitwarden handles iframes in an unusual way.

    An iframe is a tag that inserts elements from another web page inside a web page. Bitwarden uses the user’s registered username and password to fill out a form hosted on an external website. If even one of the external HTML elements (such as a banner ad, a well-known attack vector) is compromised, it could lead to login data being stolen.

    These vulnerabilities are intentional, not errors. In the November 2018 security assessment report, Bitwarden said it aimed to expand adoption to websites that use iframes and mentioned iCloud as a representative site.

    The iCloud sign-in page supports signing in through apple.com using iFrame. Bitwarden said these sites are the reason for their lax autofill policy. ⓒ Foundry

    The iframes vulnerability exists whether or not the ‘autofill on page load’ option is enabled. Flashpoint testing has shown that using or not using this feature carries the same risks. Bitwarden also does not warn users of this risk when filling out forms hosted on other pages or sites. After all, these vulnerabilities can provide a sort of “free pass” for maliciously crafted subdomains by malicious actors.

    Meanwhile, other password managers have much stricter autofill policies than Bitwarden. As a result of Flashpoint’s random checks on non-Bitwarden services, it will at least send a warning message when autocomplete or iframes are only found on registered sites.

    To protect personal information from these vulnerabilities, it is recommended that you take the following two steps.

    • By default, if autocomplete is enabled, disable it. Good services and applications are usually inactive.
    • Use a service that does not automatically populate information hosted on external sites or notify you when you attempt to do so.

    If you want to continue using Bitwarden, you will need to disable autofill on page load. In addition, it is recommended to take the following precautions:

    • Only use manual autocomplete on sites you trust. Apple, for example, will have resources in place against HTML element corruption (otherwise everyone would be in bigger trouble).
    Setting strong passwords and setting unique passwords for every site are essential to online security. ⓒDominik Tomaszewski/Foundry

    Unfortunately, this does not appear to mitigate the vulnerability of Bitwarden’s autofill feature. Since the user has no way to check if the externally hosted form has been compromised, there is no way to deal with it other than changing the method of entering login credentials.

    No method is safe if the official site is compromised. Therefore, it is necessary to minimize the damage by setting random passwords for all websites, services and applications. Like it or not, the only effective way to manage dozens of credentials is to use a password manager. If you choose and use software carefully, most problems can be avoided.
    editor@itworld.co.kr





    Source: Internet

    Share.

    Related Posts

    Leave A Reply