Secondly, the report claims that this security flaw, or feature, "appears to be unique to Bitwarden's product." This is based upon a "brief evaluation of other password manager extensions."
So, what's the problem here, exactly? MORE FROM FORBES New Samsung 0-Click Security Threat Alert, Disable Wi-Fi Calling Now By Davey Winder Delving deeper into the Flashpoint password pilfering researchįirstly, say the researchers, there's the problem of someone "hosting arbitrary content under a subdomain of their official domain." Because of the way the Bitwarden browser extension determines how auto-fill is completed, defaulting (if enabled) to a base domain, a second-level domain could potentially steal credentials. A good example of this would be the iCloud website which uses a login iframe from when signing in.įlashpoint does concede that "the number of cases found matching this particular setup was quite low, reducing the potential risk." What's more, Bitwarden not only has this auto-fill option disabled by default but also has a warning in the documentation that enabling it means a compromised site could take advantage to steal credentials.
extension FlashpointĪn iframe is simply a method of embedding a page (or document if you prefer) within another HTML page, an inline frame. Here's what Bitwarden users need to know in light of a new report into one specific credential theft attack vector.įlashpoint research highlights potential credential theft risk when using Bitwarden browser. We've already seen examples of this erosion of trust in the case of LastPass recently, and now one of the other big password manager brands stands accused of not doing enough to prevent password theft. Which is why trust in these applications is so important and why that trust can get dented when responses to security researcher concerns appear less than reassuring. This is why, and I return to my opening gambit, password managers are seen by so many, including myself and the Straight Talking Cyber team at Forbes, as essential. With password reuse rife, and given the number of passwords we have it's hardly surprising, that unique, random, and complex passwords are key.
Those who would wish to steal your money or data, be they your average cybercriminal or a state-sponsored team of hackers, look to credential compromise as a first port of call. Password managers are rightly seen by many security professionals as an essential part of your account takeover mitigation toolkit.
0 kommentar(er)
