Recent research from Google has highlighted potential security vulnerabilities affecting several popular password management tools, including Dashlane, Bitwarden, and Safari’s built-in password manager.
UPDATED: Security researchers at Google have issued warnings regarding vulnerabilities that could allow various password managers to automatically fill in credentials on untrusted websites. This disclosure came after Google notified the affected applications—Dashlane, Bitwarden, and Safari—about these issues 90 days prior.
Dashlane and Bitwarden have since released updates to address these vulnerabilities. However, Dashlane has expressed skepticism regarding any significant security threats posed. As of this writing, the status of a fix for Safari’s built-in password manager remains unknown. The Daily Swig has reached out to Apple for comments and will provide updates as more information becomes available.
Stay informed on the latest cybersecurity research.
The vulnerabilities discovered by Google mean that password managers could inadvertently auto-fill user credentials into untrusted sites, bypassing the requirement for users to enter their master passwords first.
According to a Google advisory, the problem arises under two scenarios: either when web pages feature a Content Security Policy sandbox response header, or when the forms are nested inside a sandboxed iframe.
Ideally, password managers should refrain from auto-filling credentials in both of these situations. Unfortunately, the mentioned applications fail to do so with sandboxed content, unlike other password managers such as LastPass, 1Password, and technology used by Google Chrome, which have effectively avoided this oversight.
Google advises that “Password managers should verify whether the content is sandboxed before auto-filling credentials. This verification can be performed in various ways, including checking the self.origin of a page and refraining from filling in credentials if the self.origin is ‘null’.”
Real-world Implications
In response to inquiries from The Daily Swig, Bitwarden confirmed that this issue has been rectified through a recent update. Dashlane, however, insists that they have also optimized their technology, despite maintaining that they do not view the original problem as significant.
According to Dashlane, “We never submit or suggest credentials for a domain that has not been saved by the user before—hence we do not see a clear attack vector leading to credential theft in that scenario.”
They further mentioned that Google’s findings have aided in enhancing their communication strategies regarding auto-fill functionalities with customers.
Dashlane has publicly expressed a willingness to collaborate with security researchers to identify and address potential threats and vulnerabilities to ensure the highest security standards for users.
Google has not yet provided a response to a request from The Daily Swig regarding Dashlane’s statements related to their research findings.
This article was updated on 23 January to include a revised statement from Dashlane about Google’s disclosures.
YOU MAY ALSO FIND INTERESTING Google pays hacker duo $22k in bug bounties for flaws in multiple cloud projects
Based on an article from ports.wigger.net: https://portswigger.net/daily-swig/popular-password-managers-auto-filled-credentials-on-untrusted-websites
