Yeah, with respect for Tavis Ormandy for his technical expertise, there are far more credentials for sale on the darkweb from infostealers that steal from the built-in browser’s password managers than from the vulnerabilities that he mentions.
Would you trust Microsoft with your secrets? Perhaps the recent breaches, including email accounts used by US congressmen, should speak for themselves. How about an on-line password manager? Well, Lastpass.
But breaches could happen with any password manager. I do not store some passwords, like for email, 2fa, Bitwarden, security notes at all, so if breaches happen that would not be that bad, without access to those critical services leaked passwords are less usefull and harder to change.
Basically every password manager, including Proton Pass, has this problem, but honestly it is not a reason to freak out because it would require malware in our system for it to become a problem. Proton has explained this here.
Urghh… I don’t like the current state of the extensions.
Bitwarden just plainly injects its script with the whole ID moz-extension: being in the DOM, so websites can easily track you with that ID:
1password by default at least put the ID inside a closed shadow-root, which is not the best choice as window.find() can still find the text inside that shadow DOM. But if they don’t slip any information in text form inside, it’s still good against the websites
Proton Pass might have the better approach than others by using fine-grained/optional permissions (you choose which sites you want to enable Proton Pass) and putting the ID inside an open shadow-root (no ways for websites to access data inside the shadow DOM)
However, on the sites that you enable Proton Pass, even when you turn off all auto-fill/click-to-fill options, its node still appears in the DOM, unlike 1password, as it will not inject anything to the DOM after you turn off all auto-fill/click-to-fill options.
Note that any shadow-root (open or closed) can be infiltrated by other extensions so none of the 2 above are safe under the scopes of other extensions either. (Not to mention that the simple nodes from the 3 above when injecting to the DOM help the websites easily detect which password manager users are using already)
I might switch to using desktop software soon, but currently only Keepass and 1password support auto-type to fill the browser now and I’m not really confident of operating a reliable syncing method for Keepass database if not using tracking ones like Dropbox.
I do not store some passwords, like for email, 2fa, Bitwarden, security notes at all
If not too intruding, where do you keep those that you don’t store in Bitwarden?
Basically every password manager
Well, except for Keepass and Kaspersky. May need to dig why they are so magical.
They are probably using some form of obfuscation, which according to Proton is pretty much useless and really just security theater.
It seems this behavior is related to passkeys, but I don’t understand the big concern here. Is the issue that websites could see the specific password manager you are using? I don’t see this as a huge concern unless you are concerned about anonymity. In that case, you probably should be using Mullvad or Tor Browser and not use any extensions.
In my opinion, the benefits of using the browser extension of your password manager outweigh the potential downsides. For example, you gain phishing protection that you wouldn’t have otherwise. Also, I don’t think you can autofill passkeys in your browser using a desktop app of any password manager.
Memorized.. I use them so rare, I sometimes have hard time to remember correct phrase.
No, this is not related to passkey. It’s the autofill/click-to-fill user names and password. I already wrote it above. I didn’t mention anything about passkeys.
The bitwarden case is not just “website knows what PM you are doing”, it’s websites know exactly your PM’s ID which is unique to your current Firefox browser. I wrote it above.
The 2 other cases don’t suffer from the websites but potentially suffer of ID leaking from the other extensions on Firefox. I wrote it above.
On chromium, it’s less severe as the extensions has the same ID on the store. It just adds one more easy data point to collect. That’s why I wrote “easily”, because there’s already a POC test for the websites to detect which extensions you are using, but it’s more complicated and not as dead simple to do as this case. I just don’t like one more unnecessary and totally avoided data point revealed like that. It doesn’t mean it’s dead serious or something, but tracking is always about gathering those small points.
Of course I’m using PM’s benefits of auto-fill/click-to-fill myself. That’s why I just say “I don’t like the current state of the PM extensions” where there are other ways to interact with websites’ DOM without using their own extension’s URIs. If there’s no other ways to do it, I’ll just choose the one with the least reveal based on my activities.
Currently the desktop ability I mention above is auto-type, aka they auto “type” the username and password based on your keystroke input location. It’s implemented by Keepass first since it’s an offline PM, then 1password (Bitwarden is also having a long discussion of asking to support this from other users too for years now). I didn’t need that feature at first due to the extensions, but given how the implement like that, I’ll check it again to see if it can still fit my need without the extensions or not.
I said this because this thread in Bitwarden’s subreddit makes it seem that this behaviour has started happening specifically after the passkey support was implemented.
This is still not clear to me. What exactly is a password manager ID that you’re talking about and what it can reveal about me for a website?
Ah I see, I misunderstood what you meant there. Yeah then it’s even worse since I don’t use passkey but still have to get that script injected.
In Firefox, when you install an add-on, it has a unique ID. Even when you install the same add-on in another machine, you’ll get another unique ID. That ID of the extension goes with that browser as you browse the websites as well. So when an object observes that that unique ID (aka, you) appears on website A, B, C… they know what you are browsing as well even though A,B, C… might not be related to each other, without caring about your other fingerprints/cookies/storage…
Update: Looks like the solution for Bitwarden is disabling passkey support.
Thanks for the information. Relating to the Bitwarden’s passkey support, you can disable that in the extension settings which might prevent the script from being injected.
If that is possible to detect those id’s fingerprinting protection is kinda broken than? Even more for Firefox.
From the paper:
Although not explicitly stated, the paper indicated:
With reference to Table 2a, it is observed that only three PMs do not expose
any plaintext password across all six scenarios. This does not mean that the
password(s) are indeed not present in the memory (dump); contrastingly, they
may exist in the dump, but they are in some secret obfuscated form that only the PM can parse.
For arguments against this kind of method from the PMs:
… if they apply some form of obfuscation to the passwords loaded in memory, they may provide a false sense of security; this is a form of security by obscurity,
which generally, as well as in this case, is only effective as long as the (secret)
obfuscation pattern remains confidential.
Further suggestion:
To enhance the robustness of the obfuscation procedure, a variable, fre-
quently changing pattern should be used, ideally paired with other techniques
So, Keepass must be using some kinds of run-time (but not so secret) obfuscation techniques. I personally disagree with Proton’s characterization, though. Keepass often is the leader of using techniques that would defeat generic malware that don’t explicitly attack Keepass, which other people (including KeepassXC) don’t like because they can be easily defeated. So Keepass is like, well, if I am running faster than you, the lion will eat you, but if the lion likes me, o, well.
Well, let me mention my “findings” just in case they’re useful.
For Bitwarden, because of its “login with device”/passwordless feature, you may hardly ever have to enter the master password anymore. In this case, you are immune to the keylogging attack losing the entire vault, or even losing one entry at a time. If you are using its extension, you are immune to the clipboard attack for online accounts, but is vulnerable for the offline accounts.
For Keepass/KeepassXC, unless you use a 3rd party extension, you have to enter the master password on start (making this vulnerable to keyloggers losing the entire vault). You can use keyfile/hardware challenge-response to lessen/“eliminate” the risk. If you use the autotype feature, you are still vulnerable to keyloggers, one password at a time, unless you are using Keepass’ (but not in KeepassXC) two-channel-obfuscated autotype feature, which doesn’t work for all apps, and already has open-source code to defeat it.
Autotype is not as convenient as an extension autofill, but it is workable for the websites too, although autotyping in general suffers from autotyping into unintended places, or having to be excessively programmed to match the Windows/URL.
Keepass/KeepassXC also have super-responsive developers, compared to BW. BW has superactive users.
Yeah, that’s why extensions’ devs need to be careful with their code. There are other ways to code without revealing the ID inside the DOM. uBO when you use element picker/zapper on the page, it also uses its own iframe, but there’s no ID revealed inside/outside it.
having to be excessively programmed to match the Windows/URL.
That’s actually the same as the extension though? When I save info to Bitwarden, it needs to have the URI to match which page you want to auto-fill too. That’s the same with Keepass autotype if both have the same information for that website.
You are right about “Windows title” matching. I might be a bit harsh because it is so easy to program the URL.
BTW, some password managers apparently allow drag-and-dropping the password. it doesn’t use the clipboard, and it doesn’t look like it emulates a keyboard, so this might be a channel that the malware hasn’t exploited yet.
I wonder if anti-keylogger/keystroke encryption tools like HitmanPro.Alert are effective?
