Researcher Exposes Zero-Day Clickjacking Vulnerabilities in Major Password Managers
- Thread starter Andy Ful
- Start date
I tested this on Google Chrome. The passwords stored in session cookies were exposed in WebBrowserPassView, but not passwords from the Password Manager.
In your example, the passwords were stored both in session cookies and in Password Manager.
The Google Chrome passwords are indeed stored in the SQLite file format, but they are encrypted.
F
ForgottenSeer 123960
I appreciate the feedback, but that ship has sailed.I would change "must" to "should".
However, most (average) users will skip "must", "should", and security habits.
Your suggestions about cybersecurity hygiene are well-designed and welcome to many MT members/readers.
However, they will not be further propagated to MT members' families and friends. MT members often can help their family members and friends, but this will usually be help with configuring the security, and rarely the cybersecurity teaching or safe habits training. That is why many posts assume that users have no special knowledge or safe habits.
I have an impression that nowadays most people use personal computers like children use electric scooters without a speed limit.
The vendors who sell those products do not have security in mind. Sadly, most people who buy those products wrongly think that they are pretty much safe.
It would be much better if the customers could behave as you suggested in your posts. This can be done by teaching the basics of cybersecurity in schools.
For now, the situation is not good, and discussions on security forums can help only a tiny percentage of people.
Last edited:
Problem is they are changing by the minute… and who will remember them anyway, for many people this subject is just boring… you’re talking to them, they are yawning and they are looking left and right…
In the end, they’ve understood nothing…
Guides on online safety have been around for decades, who’s following them though.
Yes, passwords are now encrypted in Chrome. I just tested it. I did some further research and found that Google introduced encryption in the Chrome database in version 135. Only passwords are encrypted; usernames are still unencrypted. You can see my login both in the WebBrowserPassView application in the screenshot below
and in the Windows Notepad in the Login Data file. 
I don't understand what you mean.
Still in need for dedicated password managers which keeps database offline, but for online ones, Chrome password manager is becoming a real competitor.
Yes, I completely agree with you. That is the safest way to store your passwords in Keepass, keepasXC offline and without any copies in the browser.
Yes, that would be great for users if Google further improved security regarding their data saved in Chrome. It's obvious that, as it is a popular browser, hackers will always find a loophole or exploit some vulnerability.
Yes. Standard methods will be ineffective. People are going to invent AI that will solve the problem for them.
The "who" is the the un-named hacker you referenced as "anyone with even minimal technical knowledge" who can magically steal my data. Indeed, if my device is compromised, anything is possible. Otherwise, Chrome's password manager is secure, and I'll prefer that to a password manager extension.I don't understand what you mean.
Apologies for going off-topic.
Yup, watching people eat Tide pods on Instagram is way more interesting. That's what we've become.
Now I understand. I said that any malicious hacker, if you are a target and they have access to your device in some way, could steal the database. No, not magically, of course, in which case they would have to exploit some vulnerability in your device. When I said anyone with little technical knowledge, I was referring to myself. I fall into that category as someone with little technical knowledge.
At no point did I say that Chrome's password manager is not secure, I only said that Chrome's database was not encrypted. But I ran the tests again yesterday, and now the passwords are indeed encrypted. Google fixed this in Chrome version 135 onwards. Before that, it was possible to view passwords using a simple application from Nirsoft called WebBrowserPassView.
People are free to use whatever they think is best, whether it's a password manager integrated into the browser or an extension-based manager. I know people who save passwords in a notepad and then store them in the My Documents folder. I don't see any problem with that; people can save their passwords wherever they think is best.
As always the best and safest is pen and paper, of course its not the most convenient as most people are too lazy to type it out.
I use Enpass, and v.6.11.6 is an old version released Nov 26, 2024. Enpass has released 6 updates since then, and the latest version is 6.11.13 (2033). I'm unsure if Enpass fixed the reported vulnerability with these updates.
Hello, I use it too and for Enpass Password Manager the fix is released with the browser extension, not with the main program. The issue is fixed with extension version 6.11.6 (Google Chrome and Microsoft Edge) and version 6.11.6.2 (Firefox) as reported on Enpass extension's release notes webpage Release Notes for Enpass Browser Extensions - Enpass - Fixed a clickjacking vulnerability in the extension by preventing popover windows from overlaying the inline menu (Reported by Marek Tóth)
Furthermore the original article Researcher Exposes Zero-Day Clickjacking Vulnerabilities in ... has been updated
Just check in your browser that the Enpass extension is correctly updated.
Last edited:
Typing 30+ characters password with mix of lower and upper case, numbers, and special marks is a real pain; also paper can be lost or damaged by repeated use of spill of liquids.
It is easier to use local password manager such as Keepassxc; in addition, keeping unencrypted txt backup (two or more) on offline storage (usb memory, usb hdd, sata hdd of air gap pc).
I have reverted to using a password protected archive system after using various other password managers, not liked by many but its totally mine & works very well, fiddly but works, I often add a addition to most passwords.
Few days ago, I have created a thread asking if using password protected compressed archive file for storing credentials is less secure than using password manager but I did not receive sufficient replies.
You may also like...
-
Study Uncovers 25 Password Recovery Attacks in Major Cloud Password Managers- Started by Parkinsond
- Replies: 24
-
How to Protect Your Windows NTLM Credentials from Zero Day Threats- Started by lokamoka820
- Replies: 1
-
Chinese Hackers Exploit Fortinet Zero-Day to Steal VPN Credentials- Started by enaph
- Replies: 0
-
-
Password Managers Auto-filled Credentials on Untrusted sites
- Started by enaph
- Replies: 73