Password managers vulnerable: 40 million users at risk of stolen data (www.pcworld.com)
from throws_lemy@lemmy.nz to tech@programming.dev on 29 Aug 03:47
https://lemmy.nz/post/27460191

This vulnerability was discovered by security researchers from The Hacker News. The following password managers have affected browser extensions that are based on DOM (Document Object Model):

  • 1Password
  • Bitwarden
  • Dashlane
  • Enpass
  • iCloud Passwords
  • Keeper
  • LastPass
  • LogMeOnce
  • NordPass
  • ProtonPass
  • RoboForm

#tech

threaded - newest

wesker@lemmy.sdf.org on 29 Aug 03:55 next collapse

The important part:

Bitwarden has provided a new version of its plugin that addresses the problem.

otter@lemmy.dbzer0.com on 31 Aug 14:51 collapse

FTW 🤘🏼

PixelatedSaturn@lemmy.world on 29 Aug 04:03 next collapse

I read an article about this a week ago and it said most of them already patched it.

Steve@communick.news on 29 Aug 10:26 collapse

There is an image in this article, showing nearly half of them have already.

trolololol@lemmy.world on 29 Aug 23:10 collapse

They also say bitwarden is fixed but the image disagrees

9tr6gyp3@lemmy.world on 29 Aug 04:03 next collapse

The only real fix to this is to have the extensions confirm that they want their information to autofill. We have come full circle. Users do not like having to confirm autofill on every page.

Also, clickjacking isnt limited to password managers. Even if a user is very careful and manually enter credentials themselves, this can still affect them.

If you do not have autofill enabled, then you are not affected by this vulnerability. It has been recommended for years to not use autofill. Always clickfill your data when you know you are at the trusted destination.

HootinNHollerin@lemmy.dbzer0.com on 29 Aug 05:50 next collapse

🙏

Steve@communick.news on 29 Aug 10:19 collapse

If that’s the issue, why is ProtonPass on the list? It doesn’t have autofill as far as I know.

Ghoelian@lemmy.dbzer0.com on 29 Aug 12:30 collapse

It does, they even list it as a feature on their front page.

Steve@communick.news on 29 Aug 13:21 collapse

I wasn’t able to find it for my father.
He decided he was willing to switch without it.

theunknownmuncher@lemmy.world on 29 Aug 04:04 next collapse

Laughs in KeePass

chemical_cutthroat@lemmy.world on 29 Aug 04:12 next collapse

This is why I don’t use a password manager. I just keep a plain text doc in my OneDrive® so I have the one password I use for everything where ever I need it.

jonathan7luke@lemmy.zip on 29 Aug 04:45 next collapse

Me reading your comment: <img alt="Poe’s Law" src="https://lemmy.zip/pictrs/image/bbeeb932-39fe-40e6-be7c-bf7b064a5096.webp">

Dumhuvud@programming.dev on 29 Aug 14:11 collapse

I suggest replacing OneDrive® with a public paste on pastebin. That way you won’t have to remember the password for your Microsoft account.

chemical_cutthroat@lemmy.world on 29 Aug 18:56 collapse

I tried that, but my password always kept changing to dead links for torrent trackers.

DapperPenguin@programming.dev on 29 Aug 05:08 next collapse

I am once again asking what are the benefits of integrating your password manager into your browser? You can do all of the link verification you want outside of password manager integration.

AlmightyDoorman@kbin.earth on 29 Aug 05:19 collapse

Because i think that my Clipboard is also not secure. There are so many applications that prefill when they detect something in your clipboard that i prefer to skip this step.

DapperPenguin@programming.dev on 29 Aug 05:53 next collapse

Browsers are insanely complex pieces of software with millions of lines of code. Clipboards have a much smaller attack vector than an entire web browser. And if you’re concerned with security you should be using wayland, which I believe mitigates a lot of input access to many applications. I am trying to do reading to find some citations on this. Furthermore, password managers will automatically clear the clipboard after a few seconds as well. If you believe you are running malicious applications that are already monitoring all of your data like some sort of keylogger, then your web browser is already lost.

over_clox@lemmy.world on 29 Aug 06:07 collapse

The clipboard is about the weakest of all points of ‘security’.

Any program or app can just poll and even alter the clipboard to see when the copied data changes, and copy the newly changed data, and even modify it, or store it in a hidden/online database.

I did this for legit local purposes, to do things like type a math formula into notepad, cut it into the clipboard, and the background service could solve the formula, then when you paste it back in, the clipboard data now contains the solution to 355/113…

The clipboard is like the absolute last place you want to copy your private information, because basically anything can access it with ease.

DapperPenguin@programming.dev on 29 Aug 06:28 collapse

emersion.fr/…/wayland-clipboard-drag-and-drop/

The source client needs to be the currently focused application. This prevents background applications from unexpectedly changing the clipboard contents right before the users pastes it.

The destination client needs to listen to wl_data_device events to keep track of the current clipboard contents. The destination client will only receive such events if it’s focused. This prevents background applications from arbitrarily reading the clipboard (which may contain sensitive data such as passwords).

The graphical application must be in focus to gain access to the clipboard, and wayland is designed to prevent such focus stealing*. As mentioned earlier, password managers such as keepassxc will automatically clear your clipboard after copying sensitive data - this is a configurable behavior. This means that no other application should have the opportunity to steal focus, and your clipboard should be cleared of sensitive content before you open up a privacy dismissive application that wants to surveil your clipboard.

*I need to do a bit more digging to find further verification of this focus stealing prevention behavior of wayland, and if I can find that information I will cite here.

I noticed you were discussing the “notepad”, are you talking about the windows operating system? I cannot speak on its clipboard management, unfortunately. That said, I would not run the windows operating system if I cared about privacy. The erosion of privacy destroys any semblance of security, eh?

Edit: Following up, I did find some information from the vim text editor that discusses stealing focus in wayland. You can read about it here vimhelp.org/wayland.txt.html#wayland-focus-steal . So far, it appears as though applications do not have access to the clipboard unless focused, which is a design on wayland’s part to secure this. However, vim is showcasing a way to steal focus and thus subvert this security effort? It does note that if you are in a full screen mode then it cannot steal focus. Anyway, more reading to be done still. There appears to be methods of determining an application is doing this “focus stealing”

Note that this method can have several side effects from the result of focus stealing. For example, if you have a taskbar that shows currently opened apps in your desktop environment, then when Vim attempts to steal focus, it may “flicker,” as if a window was opened then immediately closed after.

So with this behavior in mind, and with the way the clipboard works, no application would know what contents are inside the clipboard until in focus. Therefor an application would either have to “guess” when sensitive content is available, or steal focus quite often. The former being unlikely, and the latter most likely being able to be detected by the user.

over_clox@lemmy.world on 29 Aug 06:50 next collapse

Indeed I was referring to what I’m more familiar with regarding the clipboard, Windows, more particularly XP era.

It’s really neat and handy what all honest and local background services can do with an open clipboard, but yeah it’s also a total security nightmare when used nefariously.

I don’t know all that much about any newer versions of Windows, as I switched to Linux after the Windows 8 disaster came out.

I’m also not familiar with Wayland quite yet, though I’ve heard of it for a few years now. Anyways, I just play it safe and never copy any personal information into the clipboard, nor do I use a password manager, that’s what I have good brain memory for…

BuccaneerScientist@discuss.tchncs.de on 29 Aug 07:42 collapse

Thank you making me smarter!

There is one thing i don’t understand though. Wouldn’t the password manager need to have its window focused to clear the clipboard? And wouldn’t that allow any focused window to extract the information in the mean time?

DapperPenguin@programming.dev on 29 Aug 07:54 collapse

Any time, we’re all in this together after all. I needed to learn some here as well, and if anybody comes by with follow up knowledge it is welcome.

As far as wayland works, source clients (the application you copy from) can clear the clipboard without stealing the focus. Note that if you copy from another client, the source client is now changed to the new one and the password manager will no longer be able to clear your clipboard. And this behavior is easily verifiable.

Unfortunately I am unsure if any focused application obtains access to clipboard content immediately or if the user needs to initiate some sort of Ctrl+v behavior. This would need to be followed up on. However, that is why I give my password manager a 10 second timeout to clear the clipboard. Honestly it could be shorter. But I do not alt tab through a bunch of random applications in the mean time. Typically I go straight to where the authentication is needed, and nowhere else. Meaning my clipboard should be cleared of sensitive data before I ever give clipboard access to another app.

Better than other graphical compositors which simply broadcast your clipboard content to the entire ecosystem.

So where we’re at is 1) do apps get access to the clipboard immediately upon focus, and 2) what is happening where it appears some applications have hacked a way to steal focus.

Kissaki@programming.dev on 29 Aug 14:25 next collapse

In KeePass you can use auto-typing or the clipboard. Evading the clipboard is certainly good security practice.

PokerChips@programming.dev on 29 Aug 15:29 collapse

You should try what another person on here does and store them in a “trusted” microsft cloud drive \s

undefined@lemmy.hogru.ch on 29 Aug 06:09 next collapse

Passkeys don’t seem vulnerable to this. Why we still have username/password combos in 2025 is beyond me.

Edit: Downvoted myself because I’m obviously wrong.

BuccaneerScientist@discuss.tchncs.de on 29 Aug 07:28 collapse

Passkeys were very much vulnerable, based on the original articles charts.

[deleted] on 29 Aug 06:13 next collapse

.

Mika@sopuli.xyz on 29 Aug 08:38 next collapse

checks the list

no keepass

my only allowed work pc password manger is on the list

Good to know I’m unaffected ☺️

otter@lemmy.dbzer0.com on 31 Aug 14:53 collapse

pc password manger

PW: !babyJ3sus123! 😜

krunklom@lemmy.zip on 29 Aug 14:26 next collapse

I guess I’ve never understood how storing all of your password behind one password is the slightest bit secure.

Kissaki@programming.dev on 29 Aug 14:34 collapse

I deliberately chose KeePass with no Webbrowser extension and no cloud service that other password managers and password manager services provide to reduce risks.

Webbrowsers are very interconnected tech with non-obvious relations and risks. Having my webbrowser access my password database feels inherently irritating.

Webbrowser’s own password managers with optional sync have the benefit of auto-fill only being offered for the correct domain names. But I’d never store my critical passwords in them.

Having to launch a separate password manager, enter a long master key, and then copy-paste/trigger-auto-type the content from it is cumbersome, but the only way to add a reasonable robust separation.