BleepingComputer reports that password management service Bitwarden has a vulnerability within its web extension's credentials autofill functionality, which could be exploited to enable credential theft via website-embedded iframes. Even though Bitwarden has disabled autofill by default, activating the feature allowed the extension to autofill forms in embedded iframes, including those coming from external domains, according to a report from Flashpoint. "While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction," said Flashpoint. Researchers also observed that credential autofill on base domains' subdomains corresponding to a login is being conducted by Bitwarden. Such a security issue has already been raised to Bitwarden in November 2018 but the password management firm kept the behavior unchanged to allow legitimate sites using iframes. "Bitwarden accepts iframe auto filling because many popular websites use this model, for example icloud.com uses an iframe from apple.com... The feature described for autofill in the blog post is NOT enabled by default in Bitwarden and there is a warning message on that feature for exactly this reason within the product, and within the help documentation," said Bitwarden. Update March 15: Bitwarden has addressed the autofill on page load situation, which has been merged on GitHub.