 Tommy here from one of systems and Bitwarden is my favorite password manager, which is also why I think my tech friends have all sent me these articles wanting to know if I've seen this flaw from 2018 that's in Bitwarden, but they're always not including the full headline, which well, I don't think these headlines would include this because you wouldn't go any further of it's off by default. So I will include it right here at the beginning. The feature we're going to talk about is not enabled by default. So you're not likely unless you change this setting to be at risk. And if you had changed the setting, it also requires a malicious website to have an embedded iFrame that you have autofill turned on and it would autofill your password in. So that's the too long didn't watch probably not a really big deal, but there's going to be some changes that will note in the article Bitwarden's making to put some more guard rails around users to stop them from doing silly things. And I'm also going to mention at the end, there's another article I seen on Reddit today that seems to be making its rounds about using pins. And that, yeah, we'll just show you in the article, it's not that big of a deal. Don't use weak pins is the too long didn't watch for that one. Let's jump into the articles. Now this article is from March 8th of 2023. Today is March 19th of 2023, Bitwarden Flaw can let hackers steal password using iFrames, which is definitely something I would click on seeing that in the news because they did when I've seen it bleeding computer, but I always take the time to read the rest of the article. And we could also change this headline up just a little bit to say Bitwarden Flaw can let hackers steal password using iFrames as long as you've turned on the feature that is off by default, which of course would probably stop people from scrolling down below the fold here and reading the details. Since you the Flaw exists for, well, there's actually two will point out both of them here that if you have autofill turned on and a domain has an iFrame embedded in their attacker iFrame as they put it here, the username password fill in here and username password fill in here could possibly be filled in. And so that's definitely a issue that you come up with Bitwarden. I don't really see this as a likely thing that people are going to go in and change. Bitwarden has a warning on it. They have this feature is disabled by default while generally safe, compromised or untrust of websites could take advantage of this to steal credentials. So they have a warning if you turn it on, it's in a documentation here. It is not on by default in the browser extension. And there's also two flaws here. There is another flaw in the potential that logins.company.tld and allow user serve content under some other name.company.tld and they're using the base domain matching with this autofill. You could get served up another page that's like a subdomain of the main page where your passwords are. But this is a different problem, but related problem, because if a company loses control of their DNS, would someone create a subdomain on it, possibly, or would they take over the main domain and do other nefarious things seems likely. So it's kind of a trust issue with the domains. But nonetheless, Bitwarden did respond. And I think that's one of those things that there wasn't. The reason this flaw was hanging out for a while was there was probably a few sites that needed this. So that's why they have it as a off by default. But for those edge case people who have to use this because they're using some weirdly coded website or oldly coded website, more likely, that has this weird embedding where you have to do this fill in for the iframes. It's probably why it was hanging out since November of 2018, because that's also other headlines saying it's basically a five year old flaw still hanging out that Bitwarden won't address. But they've actually addressed it. I think enough people asked them about it. They said fine, we'll fix it and updated on 3 17 23 Bitwarden has informed bleeping computer that after careful consideration of the way password autofill feature works, they've decided to address user concerns by eliminating the iframe attack factor while keeping the autofill functionality intact. And essentially the way they do this, if a user enables autofill on the page, Bitwarden will only fill iframes from trusted domain such as the same domain as the website or a specific URL that a user has added proactively added to their item for manual autofill. If the user tries to fill in untrusted iframe Bitwarden displays an alert on the URI URL, they're trying to autofill and allows them to cancel or proceed. So we put some guardrails up around the user to hopefully not have them do something stupid. But back to my very first sentence about this being off by default means it's not something you've probably accidentally done unless you've gone and tinkered with the settings and changed this and turned it on. And one nice thing is when things are done and GitHub and the way they do everything in Bitwarden because it's open source, you can just go on here publicly and see the discussion and see the code changes. Wonderful thing of open source. So far no one has sent me this, but I did see it on Reddit. And this was published in February of 28th of 2023. Bitwarden pins can be brute forced. Okay, that's not it really. Okay, we'll read further a little. If an attacker can get access to the encrypted vault data stored locally on your device and you've configured Bitwarden pin as an image below, the attacker can brute force the pin and gain access to your vault's master key. Effectively, Bitwarden may just as well store the data in plain text. Wow, that sounds terrible. Don't use pin one, two, three, four. That's a terrible idea. Essentially, and let's walk over to Bitwarden site here. Unlock with pin. If you didn't know, you can add this as a feature. Off by default can be added is something I want to point out. So if you think your master password is too inconvenient to type, you can set a pin as a method for unlocking your vault. Pins can only be used to unlock your vault. You will still be required to use your master password on any enabled two-step login when you log in. So this only adds a pin to the browser extension, for example. And by doing that, it's convenient. I can put in one, two, three, four. It does have a warning that you shouldn't use one, two, three, four. And I know the word pin makes people think it can just be numbers, but it's actually A through Z, zero through nine, etc. You can enter desired pin code into the input box. Your pin can be a combination of any characters. So you don't have to use one, two, three, four. I don't really recommend use one, two, three, four as they suggested in there because, well, that's easily brute force. But I don't really think this is the most likely attack factor. And let me explain why. If an attacker were to gain access to a system, they're likely to follow the path of least resistance. That path being extracting session tokens, maybe installing a key logger so they can get further on their journey for whatever they're after. But it seems less likely that they would extract the vault and hammer out a bunch of, well, pin guesses until they got the vault. Now, maybe there's an attacker where someone gets their laptop stolen and that's the method used. But bottom line is if you're going to use a pin, don't make one, two, three, four. Make it complicated because that will make it much more complicated to brute force it, also encrypt everything at rest. So this is less of a concern. Now, Bitwarden is in the news more because as it's becoming a more popular password manager, which seems in direct proportion to last pass becoming a less popular password manager, you're going to see more security researchers digging into it. One of the things about Bitwarden as they cited that 2018 security report was something Bitwarden chose to make transparent. And they have made subsequent ones transparent as well. This is something I really like about them as a company and what helps have trust in them is the fact that they are very forthcoming with all this. Most companies do pen testing at the high levels like this, but they don't share any of the findings other than a brief we had so and so pen test us and we passed or failed or they told us to fix a few things. They don't give the details necessarily. Bitwarden has been absolutely transparent from top to bottom on this and it kind of goes with the open source nature of how they work. So I'll continue trusting them. There may be some flaws found in the future, but I do trust that Bitwarden will also address them as they addressed even this little small flaw that was found in this and put some more guardrails up. Nonetheless, I love hearing from you. Leave your thoughts and comments down below. Let me know what you think of this or let me know if you love or hate Bitwarden. I'm so curious about that. I plan to continue using them. What are you using? Thanks.