The web page embedded via iframe does not have access to the content of the parent page. The problem: The Bitwarden browser extension also uses the auto-fill feature on pages where third-party content from other domains is embedded via iframe. If the Bitwarden option "Auto-fill on page load" is enabled, this auto-fill happens without user interaction.
The Bitwarden browser extension can offer users to enter stored credentials for a known web page for an auto-fill login. This prevents embedded web pages from retrieving critical information from a parent page. The policy is considered an important security concept and is implemented in all major browsers. Same-Origin Policy Behavior, Source: FlashPoint If this is active, the iframe-embedded page is isolated from the parent page and cannot access its content (see the following figure). This can be controlled via the same-origin policy. The browser should separate the context of this embedded iframe foreign page from the parent page. credit card data) in a web page – this is well known. With iframes, you can embed the content of a third-party website (e.g. Embedded iframes in a web page are handled by Bitwarden in an atypical way. I have picked out the following tweet from the countless reports of the last few hours as an initial source.įlashPoint security researchers took a closer look at the behavior of Bitwarden (password manager browser extension) and came across a potential problem. Within the blog post they point out a problem with the open source Bitwarden password manager. The issue was covered by security researchers from the security provider FlashPoint, who published the article Bitwarden: The Curious (Use-)Case of Password Pilfering. FlashPoint on Bitwarden password security However, there is now a heated debate about this service's browser plugins and their security against password theft. Bitwarden is a freemium open-source password management service that stores confidential information such as website credentials in an encrypted vault.
0 kommentar(er)
