Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I use Bitwarden too, and I self-host it so that vector of attack becomes much smaller. But while Bitwarden doesn't add elements to the page it does alter existing page elements by auto-filling your credentials. If I get it properly the gist of the article is the ability to spoof the fields that receive those credentials.

Copying out of Bitwarden and pasting into the visible fields would get around that instead of using its auto-fill.



Auto-fill is disable by default and you should not turn it on.


The problem is currently that from an UI POV using the icon to complete is a bit annoying, would probably better if a floating complete icon would be added to the fields when a site is recognized. And that should solve the problem, no?


No, because adding the floating icon requires injecting code on the page to create the icon. So then the page has a way to interfere with your password manager's UI. That is the problem with the content script approach.

Although if the browser provided a specific mechanism for extensions to create floating icons that couldn't be altered by the page (and you make sure to account for hidden fields and other clickjacking techniques), then that might work.


bitwarden has a right-click context menu, which allows you to fill, or copy username/password. This is easier than the icon, and it doesn't require enabling the autofill feature.


This seems like the best way to ensure that you are filling out the field you think you are. Good call.


Use can also just use the ^⇧L shortcut.


Nice! I'll start using this.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: