In its support pages regarding "Auto-fill," Bitwarden advises users to turn off their browsers' password autofill functions because they interfere with its password management solution. So essentially, Bitwarden will implement process breaks and warnings like other password managers. Second, if the user tries to fill in an untrusted iframe using manual autofill, Bitwarden displays an alert to the URI/URL they are trying to autofill and allows them to either cancel or proceed. The company said it would make two specific changes.įirst, if a user enables the autofill on page load setting, Bitwarden will only fill in iframes from trusted domains, such as the same domain as the website or a specific URL the user has proactively added to their item. The company did not explain why it waited five years to address the issue but did say it merged the fix request on GitHub and that the patch would be ready next week. Update (March 17): A Bitwarden spokesperson contacted TechSpot to inform us that it is taking measures to mitigate the autofill vulnerability. Bitwarden is the sole exception, having determined in 2018 that the threat was not significant enough to address. It's a weakness for all password managers, and most have addressed the flaw in various ways, including issuing warnings when users are on a login page with an iframe or not trusting subdomains. PSA: Hackers can steal your username and password for a website using an embedded iframe.
0 kommentar(er)
