1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce
Major password managers can leak logins in clickjacking attacks
Submitted 5 days ago by leo@lemmy.linuxuserspace.show to news@lemmy.linuxuserspace.show
Comments
SoupBrick@pawb.social 5 days ago
arcterus@piefed.blahaj.zone 5 days ago
Once again I am reminded why I always use an adblocker.
subignition@fedia.io 5 days ago
This is somewhat clever, but if you're phished into attempting to login on a malicious page, you've already lost
Catoblepas@piefed.blahaj.zone 5 days ago
Per the article, the attack works by making you think you’re clicking CAPTCHAs and reduces the opacity of the auto login buttons you’re actually pressing.
Blueshift@piefed.world 5 days ago
Wouldn’t the attack need to happen on a subdomain of the site they’re trying to steal credentials for? At least Bitwarden won’t suggest any credentials to autofill otherwise (haven’t tried the others)
SpikesOtherDog@ani.social 5 days ago
Any insight in attacks on the browser password managers themselves?
hexagon527@lemmy.blahaj.zone 5 days ago
So if I just use the desktop app and not the browser extension then I’m good?
SendMePhotos@lemmy.world 5 days ago
That’s what I’m getting from this too
SlartyBartFast@sh.itjust.works 5 days ago
This is why I tattoo all my passwords backwards on my asscrack
FailBetter@crust.piefed.social 5 days ago
I'm an idiot using bw, do we have much confidence in any means of avoiding this yet or no?
leo@lemmy.linuxuserspace.show 5 days ago
The easy-ish way is to use the desktop app, but from the article:
However, Bitwarden told BleepingComputer that the issues have been fixed in version 2025.8.0, rolling out this week.
FailBetter@crust.piefed.social 5 days ago
I have pretty unserious threat model, so hopefully bw team is trustworthy enough to believe in their upcoming fix.
Many thanks Leo!
DarrinBrunner@lemmy.world 5 days ago
I just now did an update and Bitwarden updated. Linux Mint.
FailBetter@crust.piefed.social 5 days ago
Nice, good looking out😎
grue@lemmy.world 5 days ago
Once again Keepass proves to be the superior solution.
halcyoncmdr@lemmy.world 5 days ago
They tested 11 popular password managers, Keepass wasn’t one of them.
So if it wasn’t even tested for attacks that nearly every other manager fails at least 1 aspect of, then you should assume it’s not safe either.
grue@lemmy.world 5 days ago
Well, except that the method of exploit was involving the web browser plugin, which isn’t a thing Keepass does to begin with.
pdxfed@lemmy.world 5 days ago
Just like Craigslist; every ounce of energy out into veneer is energy not in the core product design and maintenance and also adds cost. Minimal, functional, excellent.