this post was submitted on 29 Aug 2025
79 points (95.4% liked)

Tech

1941 readers
166 users here now

A community for high quality news and discussion around technological advancements and changes

Things that fit:

Things that don't fit

Community Wiki

founded 2 years ago
MODERATORS
Vacant@programming.dev
79
Password managers vulnerable: 40 million users at risk of stolen data (www.pcworld.com)
submitted 2 weeks ago by throws_lemy@lemmy.nz to c/tech@programming.dev
31 comments fedilink hide all child comments
 

This vulnerability was discovered by security researchers from The Hacker News. The following password managers have affected browser extensions that are based on DOM (Document Object Model):

  • 1Password
  • Bitwarden
  • Dashlane
  • Enpass
  • iCloud Passwords
  • Keeper
  • LastPass
  • LogMeOnce
  • NordPass
  • ProtonPass
  • RoboForm
you are viewing a single comment's thread
view the rest of the comments
[โ€“] 9tr6gyp3@lemmy.world 28 points 2 weeks ago* (last edited 2 weeks ago) (2 children)

The only real fix to this is to have the extensions confirm that they want their information to autofill. We have come full circle. Users do not like having to confirm autofill on every page.

Also, clickjacking isnt limited to password managers. Even if a user is very careful and manually enter credentials themselves, this can still affect them.

If you do not have autofill enabled, then you are not affected by this vulnerability. It has been recommended for years to not use autofill. Always clickfill your data when you know you are at the trusted destination.

[โ€“] Steve@communick.news 2 points 2 weeks ago (1 children)

If that's the issue, why is ProtonPass on the list? It doesn't have autofill as far as I know.

[โ€“] Ghoelian@lemmy.dbzer0.com 3 points 2 weeks ago (1 children)

It does, they even list it as a feature on their front page.

[โ€“] Steve@communick.news 1 points 2 weeks ago

I wasn't able to find it for my father.
He decided he was willing to switch without it.