Hey everyone! I recently came across a serious vulnerability affecting many popular password managers due to a DOM-based extension clickjacking issue. A security researcher has pointed out that this affects various extensions and can even allow attackers to access sensitive information, like your login credentials, even if you have 2FA enabled. There are some password managers that have released fixes, but others are still vulnerable. I've linked to the original disclosure and a demo site where you can test this yourself with fake data. It's crucial for all of us to stay informed, especially since this could compromise our security. What are your thoughts on it? Any recommendations on how to protect ourselves?
2 Answers
I found out that Bitwarden has a fix coming out soon, but it's concerning that they took this long. They’ve had since April to address it after it was publicly revealed and are only now rolling out an update.
If you're looking for a simple explanation, here’s how this vulnerability works using 1Password as an example: Imagine clicking a checkbox on a compromised website which also clicks hidden elements in your 1Password extension, potentially leaking sensitive data like credit card info. It’s pretty scary, especially if your vault is unlocked! Users often tweak settings without realizing the risks. Always check your security settings!
Wow, that’s a great rundown! Would implementing a master password requirement help at all?
Totally agree! It raises eyebrows when they wait so long. Plus, 1Password and LastPass seem to be lagging without proper solutions which makes it more frustrating.