Comment by gruez
2 months ago
Most windows apps aren't sandboxed, so them being able to grab window titles is the least of your worries. Any program can steal your login sessions and passwords if they wanted to.
2 months ago
Most windows apps aren't sandboxed, so them being able to grab window titles is the least of your worries. Any program can steal your login sessions and passwords if they wanted to.
Are you essentially discussing like a keylogger? I can't imagine windows intentionally keeps the plaintext password anywhere longer than it needs to be.
That, but consider also how an application running with your user privileges has full access to the filesystem with those privileges, so it can read your entire home directory, for example. That includes your browser profile with all cookies, and all credentials that applications store there unencrypted. Not to mention how that allows for all the fingerprinting even the most nefarious marketer could wish for.
Oh, and the UAC confirmations to elevate your apps permissions to root? People will gleefully confirm them without reading what needs access anyway, so you’re golden to do whatever you want.
The security model of Windows doesn’t exist.
> I can't imagine windows intentionally keeps the plaintext password anywhere longer than it needs to be.
Can’t tell if serious or not [1]. Also any program can read any saved password out of Windows Credential Manager.
https://en.wikipedia.org/wiki/Mimikatz
Obviously there's no way for a malicious program to grab your login credentials that you've entered into an incognito tab that have been closed. There might not be sandboxing, but viruses can't timetravel yet. However that's not going to be much of a defense when many users use password managers, and are terrible at detecting malware (so it's only a matter of time before their passwords are keylogged).
> viruses can't timetravel yet
_Windows Recall to the rescue!_
ita disconcerting to see such naivety around security issues on hn.
not that windows is keeping passwords in plaintext, but that it's not immediately obvious that un-sandboxed apps that run on your windows/linux/mac desktop have virtually unlimited other avenues to capture passwords given they can read the entire state of other windows at the very least.
I dunno maybe macos is slightly better, and wayland definitely has some things which are better about this, but desktop os and $locally_installed_app means $locally_installed_app basically has root, there is just an exploding amount of vectors.
I'd like to see a linux based distrubution use some of the sandboxing in Android, it would be a order of magnitude improvement over what is going on now.
So like a keylogger. Thanks
Actually windows can keep them in memory for a lot longer than you'd think, hence Mimikatz https://github.com/ParrotSec/mimikatz