Security News > 2023 > March > Bitwarden flaw can let hackers steal passwords using iframes
Bitwarden's credentials autofill feature contains a risky behavior that could allow malicious iframes embedded in trusted websites to steal people's credentials and send them to an attacker.
The issue was reported by analysts at Flashpoint, who said Bitwarden first learned of the problem in 2018 but chose to allow it to accommodate legitimate sites that use iframes.
Bitwarden is a popular open-source password management service with a web browser extension that stores secrets like account usernames and passwords in an encrypted vault.
A second issue discovered by Flashpoint while investigating the iframes problem is that Bitwarden will also auto-fill credentials on subdomains of the base domain matching a login.
Should a company have a login page at https://logins.company.tld and allow users to serve content under https://.company.tld, these users are able to steal credentials from the Bitwarden extensions."
Since users need to log in to services using embedded iframes from external domains, Bitwarden's engineers decided to keep the behavior unchanged and add a warning on the software's documentation and the extension's relevant settings menu.