Hot Take Password Managers Auto-filled Credentials on Untrusted sites

enaph

enaph

Level 28
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,790
Security shortcomings mean that multiple password managers could be tricked into auto-filling credentials on untrusted pages, security researchers at Google warn.

The team from Google went public with their findings on Tuesday (17 January), 90 days after notifying the applications – Dashlane, Bitwarden, and the built-in password manager bundled with Apple’s Safari browser – of the vulnerabilities.

Both Dashlane and Bitwarden have updated their software although Dashlane, at least, remains unconvinced that the bug represents any kind of security threat. The status of any fix for Apple’s Safari built-in password manager remains unconfirmed at the time of writing. The Daily Swig has asked Apple to comment and we’ll update this story as and when more information comes to hand.
Click to expand...
portswigger.net

Popular password managers auto-filled credentials on untrusted websites

Dashlane, Bitwarden, and Safari all cited by Google researchers
portswigger.net portswigger.net
 
  • Like
  • Wow
Reactions: DeBenez, Dave Russo, CyberTech and 7 others
Digmor Crusher

Digmor Crusher

Level 23
Verified
Top Poster
Well-known
Jan 27, 2018
1,265
Not sure what you mean by automatically. With Bitwarden if your logged in you just go to any site you have saved and click on the login button, BW pops up for that site, you click on it and your logged in.
 
  • Like
Reactions: Dave Russo
piquiteco

piquiteco

Level 14
Oct 16, 2022
626
Digmor Crusher said:
Not sure what you mean by automatically. With Bitwarden if your logged in you just go to any site you have saved and click on the login button, BW pops up for that site, you click on it and your logged in.
Click to expand...
By default in Bitwarden this option is unchecked "If a login form is detected, automatically perform an auto-fill when the web page loads." And then just below the checkbox comes this warning
1674372372538.png
 
  • Like
Reactions: vtqhtr413, plat, Dave Russo and 3 others
piquiteco

piquiteco

Level 14
Oct 16, 2022
626
HarborFront said:
Regarding the topic. Since BW has updated their software so it means it's safe to use autofill
Click to expand...
Yes, it is secure, but I wouldn't use auto-complete if I were you, tomorrow or the day after, a vulnerability arises, suddenly when you least expect it, Bitwarden starts dumping your credentials on any website, then you can have a headache. Remember security and technology and convenience go hand in hand, but it comes at a price. Don't forget that. He who warns is a friend.;)
 
  • Like
Reactions: vtqhtr413, enaph and Dave Russo
H

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,033
piquiteco said:
Yes, it is secure, but I wouldn't use auto-complete if I were you, tomorrow or the day after, a vulnerability arises, suddenly when you least expect it, Bitwarden starts dumping your credentials on any website, then you can have a headache. Remember security and technology and convenience go hand in hand, but it comes at a price. Don't forget that. He who warns is a friend.;)
Click to expand...
You can lock/unlock the vault in the extension
 
  • Like
Reactions: Dave Russo and piquiteco
n8chavez

n8chavez

Level 17
Well-known
Feb 26, 2021
818
If you really want to be safe you'd use keepass, where your database is store on space you control (encrypted cloud or local), use a keyfile (disguised as a random docx or jpg, stored somewhere different than your database), and your 15+ character password. Don't use any browser extension that tie into it. They are not needed, if you learn the features of Keepass. Using any addons only potentially weakens its security.

At this point is it really worth it to use a cloud-based service where you cannot control the storage? I wouldn't trust any of them anymore.
 
  • Like
Reactions: plat, Dave Russo, WhiteMouse and 2 others
Digmor Crusher

Digmor Crusher

Level 23
Verified
Top Poster
Well-known
Jan 27, 2018
1,265
Trying Enpass now, I really like it, nice gui, simple to set up, local storage, not a lot of bells and whistles but it signs me into my sites quite easily, what more do I need? Tried Keepass as well, it was a total mess trying to figure it out. The only possible negative with Enpass in the free version is that it only allows 25 items for mobile vaults, but that's probably 20 more than I need anyways as I never sign into anything on my phone except maybe for Ticketmaster for concert or hockey tickets or email.
 
Last edited:
  • Like
Reactions: Dave Russo
H

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,033
Digmor Crusher said:
Trying Enpass now, I really like it, nice gui, simple to set up, local storage, not a lot of bells and whistles but it signs me into my sites quite easily, what more do I need? Tried Keepass as well, it was a total mess trying to figure it out. The only possible negative with Enpass in the free version is that it only allows 25 items for mobile vaults, but that's probably 20 more than I need anyways as I never sign into anything on my phone except maybe for Ticketmaster for concert or hockey tickets or email.
Click to expand...


Enpass don't support non-code signed browsers like Ungoogled Chromium and LibreWolf. Also, its android app has trackers

A detailed review here

www.safetydetectives.com

Enpass Review 2024: Is It Really a Good Password Manager?

Is Enpass the best password manager for you? Is it safe and secure? How well will it protect your computer? Does it work well on mobile or just desktops? Find out all of this and more in this in-depth review of Enpass.
www.safetydetectives.com www.safetydetectives.com
 
  • Thanks
  • Like
Reactions: dinosaur07 and Dave Russo
Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,600
n8chavez said:
If you really want to be safe you'd use keepass, where your database is store on space you control (encrypted cloud or local), use a keyfile (disguised as a random docx or jpg, stored somewhere different than your database), and your 15+ character password. Don't use any browser extension that tie into it. They are not needed, if you learn the features of Keepass. Using any addons only potentially weakens its security.

At this point is it really worth it to use a cloud-based service where you cannot control the storage? I wouldn't trust any of them anymore.
Click to expand...
Even Keepass is not totally safe, however the creator doesn't agree:
** DISPUTED ** KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. NOTE: the vendor's position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.
Click to expand...

NVD - CVE-2023-24055

nvd.nist.gov nvd.nist.gov
 
Last edited:
  • Like
  • Thanks
  • Hundred Points
Reactions: piquiteco, vtqhtr413, n8chavez and 5 others
H

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,033
n8chavez said:
If you really want to be safe you'd use keepass, where your database is store on space you control (encrypted cloud or local), use a keyfile (disguised as a random docx or jpg, stored somewhere different than your database), and your 15+ character password. Don't use any browser extension that tie into it. They are not needed, if you learn the features of Keepass. Using any addons only potentially weakens its security.

At this point is it really worth it to use a cloud-based service where you cannot control the storage? I wouldn't trust any of them anymore.
Click to expand...

Correct me if I'm wrong

Does KeePass copy&paste passwords? If yes, then any keylogger can capture what's on the clipboard, right? Does KeePass come with a time setting to clear the clipboard?

BW autofills using copy&paste passwords and it comes with a time setting to clear the clipboard. The time set to clear the clipboard can be chosen from the extension
 
  • Like
Reactions: piquiteco, Gandalf_The_Grey and upnorth
A

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,823
HarborFront said:
Correct me if I'm wrong

Does KeePass copy&paste passwords? If yes, then any keylogger can capture what's on the clipboard, right? Does KeePass come with a time setting to clear the clipboard?
Click to expand...
It does copy passwords and auto-clears the clipboard after a set amount of time (which can be changed in the settings).
 
  • Like
Reactions: plat and HarborFront

Similar threads

vtqhtr413
    • Like
    • +Reputation
Security News AutoSpill attack steals credentials from Android password managers
Replies
3
Views
1,447
Security News
vtqhtr413
vtqhtr413
BigWrench
    • Like
    • Thanks
Unlimited Giveaway Sticky Password Premium is a free license for 1 year. For all devices
Replies
0
Views
735
Giveaways, Promotions and Contests
BigWrench
BigWrench
H
    • Like
    • Applause
    • +Reputation
New Update Best Password Managers 2023
Replies
17
Views
1,619
Passwords and passkeys
ddave
ddave

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top