Recent research by Google has raised concerns regarding the security features of popular password management tools including Dashlane, Bitwarden, and Apple’s Safari.
UPDATED According to the researchers, vulnerabilities exist that could potentially allow various password managers to inadvertently fill in user credentials on untrusted websites.
The Google team revealed their findings on January 17, following three months of notifying the affected applications – namely, Dashlane, Bitwarden, and the integrated password manager of Safari.
While Dashlane and Bitwarden have both deployed updates, Dashlane has expressed skepticism about whether the identified vulnerabilities pose a real security risk. As for the Safari password manager, no information has been released regarding its status or updates as of this writing. The Daily Swig has reached out to Apple for comments and will provide updates as necessary.
Stay informed with the latest in cybersecurity research news
The flaws highlighted by Google indicate that affected password managers may auto-fill login details on untrusted pages without requiring users to first enter their master passwords.
According to a Google advisory, the problem mainly appears in two situations: when web pages contain a CSP (content security policy) sandbox response header or when forms exist within a sandboxed iframe.
The affected password managers do not adhere to the necessary checks to prevent credential auto-filling in these scenarios, contrary to better practices employed by other password managers like LastPass and 1Password, as noted by Google.
“Password managers should perform checks to determine if content is sandboxed before autofilling credentials. This could be achieved in various ways; for instance, checking self.origin of a page and refraining from entering credentials if self.origin is ‘null’,” as stated in the Google advisory.
Real-World Implications
In a statement to The Daily Swig, Bitwarden confirmed that the issue has been addressed through recent updates. Meanwhile, Dashlane indicated that although it has made updates, it remains doubtful about the existence of a significant issue.
We do not submit or propose credentials for domains that haven’t previously been saved by the user. Therefore, in this particular scenario, we find it hard to see a tangible attack vector that could lead to credential theft.
Insights from Google’s research have been beneficial in enhancing our communication with customers regarding autofill procedures.
We are always open to collaborating with security researchers to identify potential threats and attacks, ensuring we evolve our security measures to provide the utmost protection for our users.
Google has yet to respond to The Daily Swig regarding Dashlane’s remarks on their research findings.
This story was last updated on January 23 to include a revised statement from Dashlane concerning Google’s disclosure.
YOU MAY ALSO LIKE Google rewards hacker duo with $22k in bug bounties for flaws found in various cloud projects
Based on an article from ports wigger: https://portswigger.net/daily-swig/popular-password-managers-auto-filled-credentials-on-untrusted-websites
