Open Menu
AllLocalCommunitiesAbout
lotide
AllLocalCommunitiesAbout
Login

Major password managers can leak logins in clickjacking attacks

⁨0⁩ ⁨likes⁩

Submitted ⁨⁨7⁩ ⁨months⁩ ago⁩ by ⁨leo@lemmy.linuxuserspace.show⁩ to ⁨news@lemmy.linuxuserspace.show⁩

https://www.bleepingcomputer.com/news/security/major-password-managers-can-leak-logins-in-clickjacking-attacks/

source

Comments

Sort:hotnewtop
  • SlartyBartFast@sh.itjust.works ⁨7⁩ ⁨months⁩ ago

    This is why I tattoo all my passwords backwards on my asscrack

    source
  • Blueshift@piefed.world ⁨7⁩ ⁨months⁩ ago

    Wouldn’t the attack need to happen on a subdomain of the site they’re trying to steal credentials for? At least Bitwarden won’t suggest any credentials to autofill otherwise (haven’t tried the others)

    source
  • arcterus@piefed.blahaj.zone ⁨7⁩ ⁨months⁩ ago

    Once again I am reminded why I always use an adblocker.

    source
  • subignition@fedia.io ⁨7⁩ ⁨months⁩ ago

    This is somewhat clever, but if you're phished into attempting to login on a malicious page, you've already lost

    source
    • Catoblepas@piefed.blahaj.zone ⁨7⁩ ⁨months⁩ ago

      Per the article, the attack works by making you think you’re clicking CAPTCHAs and reduces the opacity of the auto login buttons you’re actually pressing.

      source
      • subignition@fedia.io ⁨7⁩ ⁨months⁩ ago

        Yes, I read the article.

        source
        • -> View More Comments
  • grue@lemmy.world ⁨7⁩ ⁨months⁩ ago

    Once again Keepass proves to be the superior solution.

    source
    • halcyoncmdr@lemmy.world ⁨7⁩ ⁨months⁩ ago

      They tested 11 popular password managers, Keepass wasn’t one of them.

      So if it wasn’t even tested for attacks that nearly every other manager fails at least 1 aspect of, then you should assume it’s not safe either.

      source
      • grue@lemmy.world ⁨7⁩ ⁨months⁩ ago

        then you should assume it’s not safe either.

        Well, except that the method of exploit was involving the web browser plugin, which isn’t a thing Keepass does to begin with.

        source
        • -> View More Comments
    • pdxfed@lemmy.world ⁨7⁩ ⁨months⁩ ago

      Just like Craigslist; every ounce of energy out into veneer is energy not in the core product design and maintenance and also adds cost. Minimal, functional, excellent.

      source
  • SoupBrick@pawb.social ⁨7⁩ ⁨months⁩ ago

    1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce

    source
  • hexagon527@lemmy.blahaj.zone ⁨7⁩ ⁨months⁩ ago

    So if I just use the desktop app and not the browser extension then I’m good?

    source
    • SendMePhotos@lemmy.world ⁨7⁩ ⁨months⁩ ago

      That’s what I’m getting from this too

      source
  • FailBetter@crust.piefed.social ⁨7⁩ ⁨months⁩ ago

    I'm an idiot using bw, do we have much confidence in any means of avoiding this yet or no?

    source
    • DarrinBrunner@lemmy.world ⁨7⁩ ⁨months⁩ ago

      I just now did an update and Bitwarden updated. Linux Mint.

      source
      • FailBetter@crust.piefed.social ⁨7⁩ ⁨months⁩ ago

        Nice, good looking out😎

        source
    • leo@lemmy.linuxuserspace.show ⁨7⁩ ⁨months⁩ ago

      The easy-ish way is to use the desktop app, but from the article:

      However, Bitwarden told BleepingComputer that the issues have been fixed in version 2025.8.0, rolling out this week.

      source
      • FailBetter@crust.piefed.social ⁨7⁩ ⁨months⁩ ago

        I have pretty unserious threat model, so hopefully bw team is trustworthy enough to believe in their upcoming fix.

        Many thanks Leo!

        source
        • -> View More Comments
  • SpikesOtherDog@ani.social ⁨7⁩ ⁨months⁩ ago

    Any insight in attacks on the browser password managers themselves?

    source