@1Password any security tips on this?
TL;DR - Advertisers are creating invisible login forms to capture any data your password manager is willing to auto-fill. They're allegedly after your usernames, but there's nothing stopping them from capturing your password as well. 1. Block ads 2. Don't allow auto-fillhttps://twitter.com/troyhunt/status/947239132174020609 …
-
-
-
Hey Tiago! This is why I avoid automatic filling and require the user to trigger filling. More here: https://support.1password.com/kb/201712/
-
And would you have any thing preventing, for example, filling in the password or username field twice in a page? This way I’d be able to know if there are any hidden fields
-
I was interested in this as well. I've seen usernames inserted into non-username fields before... But would 1pass ever insert it twice in one page? Also, is there any way for 1pass extension to distinguish hidden elements from visible ones?
-
I’ve seen 1password filling usernames and pwds multiple times, even in hidden fields (incl passwords in text inputs). Auto-filling is broken by design IMO
-
I can't find any auto-filling functionality in 1Password - could you help me with a bit more information on what you're seeing and what the scenario is like?
-
Using the browser plugins of 1password it inserts credentials on demand (key press). It not completely automatic, but has the same problems
-
That wouldn't apply in this scenario then. Since these form elements are entirely hidden, there's no way for the user to interact with them and get 1Password to expose data.
- 5 ಮತ್ತಷ್ಟು ಪ್ರತಿಕ್ರಿಯೆಗಳು
ಹೊಸ ಸಂವಾದ -
-
-
I need to test this bit I would be extremely surprised if the browser would let a script read the value of a password field.
-
They create their own password field on a non-login page - it doesn't use the proper one. Some password managers don't differentiate, some actively defend against these types of attacks (e.g. non-visible login forms).
-
What I mean though is that a password manager should only fill a field of type password, no matter what the name or ID of the field is. Then the browser prevents the leak of the password in the field.
-
The proper username/pass fields aren't being subverted at all. This wouldn't be happening on the login page. On a different page on the same site, the 3rd party ad script creates fields that fool password managers into auto-filling.
-
Yes but even if the manager fills the password, there shouldn't be any way for a script to access the value of that created field.
-
Try it for yourself. Here's Princeton's demo page: https://senglehardt.com/demo/no_boundaries/loginmanager/index.html …
-
Thanks for the link, was interesting! (It got the info from my browers built-in manager, but not from the one I actually use.)
-
Same here. Which 3rd party one do you use?
- 3 ಮತ್ತಷ್ಟು ಪ್ರತಿಕ್ರಿಯೆಗಳು
ಹೊಸ ಸಂವಾದ -
-
-
Is it true?
@leolaporte@SGgrc https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/ … I don't let my browser 'remember' passwords. Is that enough? -
So there are three components here: 1. Form auto-fill, which has been in all browsers for a long time 2. 'Saved password' functionality, which has also been in browsers for a while 3. 3rd party password manager auto-fill, which is a bit newer
-
The first two, you can check in your browser settings. The third, in your password manager extension/plugin settings. You can still use auto-fill, you just want to make sure it requires manual input from you first.
-
Safari seems to do a good job at that
- 1ಮತ್ತಷ್ಟು ಪ್ರತಿಕ್ರಿಯೆ
ಹೊಸ ಸಂವಾದ -
ಲೋಡಿಂಗ್ ಸಮಯ ಸ್ವಲ್ಪ ತೆಗೆದುಕೊಳ್ಳುತ್ತಿರುವಂತೆನಿಸುತ್ತದೆ.
Twitter ಸಾಮರ್ಥ್ಯ ಮೀರಿರಬಹುದು ಅಥವಾ ಕ್ಷಣಿಕವಾದ ತೊಂದರೆಯನ್ನು ಅನುಭವಿಸುತ್ತಿರಬಹುದು. ಮತ್ತೆ ಪ್ರಯತ್ನಿಸಿ ಅಥವಾ ಹೆಚ್ಚಿನ ಮಾಹಿತಿಗೆ Twitter ಸ್ಥಿತಿಗೆ ಭೇಟಿ ನೀಡಿ.