Shulou(Shulou.com)11/24 Report--

CTOnews.com, March 11 (Xinhua)-- according to the official blog post of security agency FlashPoint, a high-risk vulnerability has been found in the browser extension of password manager Bitwarden that could disclose users' password information.

Malicious websites can exploit this vulnerability to embed IFRAME code in trusted pages. After a user visits these malicious websites and automatically populates them with Bitwarden, they can obtain the user's credential information.

CTOnews.com learned from the blog that the key to this vulnerability is that Bitwarden handles embedded iframe in web pages in an atypical way.

The browser separates the iframe embedded page from the parent page through the same origin policy. In other words, the iframe embedded page and the parent page should be isolated from each other and their contents should not be accessible. At present, major browsers, including Firefox, Chrome and so on, have adopted this security concept.

Bitwarden browser extensions also use autofill on pages that embed third-party content from other domains through iframe. Web pages embedded through iframe do not have access to the contents of the parent page.

But the security researchers write that without further user interaction, the page can wait for input from the login form and forward the entered credentials to the remote server.

The Bitwarden document does contain a warning that "infected or untrusted Web sites" may use this to steal credentials. Security researchers say that if the site itself is threatened, the extension can hardly prevent the theft of credentials.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.