Pulse of Truth

1541 readers

48 users here now

Cyber Security news and links to cyber security stories that could make you go hmmm. The content is exactly as it is consumed through RSS feeds and wont be edited (except for the occasional encoding errors).

This community is automagically fed by an instance of Dittybopper.

founded 2 years ago

MODERATORS

krogoth

Major password managers can leak logins in clickjacking attacks (www.bleepingcomputer.com)

submitted 1 week ago by lemmydev2 to c/pulse_of_truth

3 comments fedilink hide all child comments

Six major password managers with tens of millions of users are currently vulnerable to unpatched clickjacking flaws that could allow attackers to steal account credentials, 2FA codes, and credit card details. [...]

you are viewing a single comment's thread
view the rest of the comments

[–] FailBetter@crust.piefed.social 2 points 1 week ago (1 children)

I know you said just don't use the extension, but I'm a dolt. Is there a safest alternative method of use for me? Like am I better off only using a pass manager app on my phone?

[–] voracitude@lemmy.world 2 points 6 days ago

Nah you'll be alright, using the desktop app is fine; the attack works by first having you go to a compromised page, and then the page has some code to trick the password manager into auto filling your details without your consent or knowledge.

1Password's extension pops up a notice when filling some sensitive data and that notice cannot be hidden by the page you're on, like credit card data and maybe personal ID information, but regular passwords and 2fa don't have that confirmation. Can't speak for other managers on that, but generally if you just don't use the extension and instead manually copy and paste from the password manager, you're immune to this attack.