Connect with us

Hi, what are you looking for?

Cyber Security

Popular password managers auto-filled credentials on untrusted websites

Security shortcomings mean that multiple password managers could be tricked into auto-filling credentials on untrusted pages, security researchers at Google warn.

The team from Google went public with their findings on Tuesday (17 January), 90 days after notifying the applications – Dashlane, Bitwarden, and the built-in password manager bundled with Apple’s Safari browser – of the vulnerabilities.

Both Dashlane and Bitwarden have updated their software although Dashlane, at least, remains unconvinced that the bug represents any kind of security threat. The status of any fix for Apple’s Safari built-in password manager remains unconfirmed at the time of writing. The Daily Swig has asked Apple to comment and we’ll update this story as and when more information comes to hand.

The security shortcomings outlined by Google mean that the vulnerable password managers auto-fill credentials into untrusted pages, without first requiring users to enter their master password.

An advisory from Google explains that the issue arises in two scenarios: where web pages have a CSP (content security policy) sandbox response header or where forms are inside a sandboxed iframe.

Auto-filling by password managers should not happen in either scenario but the affected applications all fail in this regard when encountering sandboxed content. Other password managers (including LastPass, 1Password, and Google Chrome’s password vault technology) avoid this mistake, said Google.

“Password managers should check whether content is sandboxed before auto-filling credentials. This can be done in many ways, but one way is to check self.origin of a page and refusing to fill in credentials if self.origin is ‘null’,” according to the Google advisory.

Real world impact

In response to a query from The Daily Swig, Bitwarden confirmed that the issue had been resolved through a recent pull request. Dashlane told The Daily Swig that it had also updated its technology even though it remains unconvinced there was a substantive problem in play.

“We’ve changed the behavior following the report (so the advisory is misleading),” Dashlane said. “We also don’t believe that it was a real issue to start with (the author doesn’t detail any real attack scenario nor answer our questions).”

Google is yet to respond to a request from The Daily Swig to respond to Dashlane’s criticisms of its research findings.

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/popular-password-managers-auto-filled-credentials-on-untrusted-websites

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Modern enterprises run dozens (and sometimes hundreds) of servers, services, applications, APIs, containers, and other technologies. To secure these resources, enterprises need tools to...

Cyber Security

While we continue to wait for the long-awaited password-less future to arrive, individuals and enterprises are still stuck with the problem of how to...

Cyber Security

UPDATED Password vault vendor Bitwarden has responded to renewed criticism of the encryption scheme it uses to protect users’ secret encryption keys by enhancing the mechanism’s default...

Cyber Security

UPDATED Password vault vendor Bitwarden has responded to renewed criticism of the encryption scheme it uses to protect users’ secret encryption keys by enhancing the mechanism’s default...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO