← Back to context

Comment by embedding-shape

2 days ago

Even if autofill breaks, the moment it does, if you're security aware, is to actually read the URL you're at, not start copy-pasting like it's the wild west.

> autofilling passwords can also make people _more_ susceptible to phishing

No, it doesn't. What it does, is generally make people _less_ susceptible to phishing, but the moment you stop paying attention when autofill breaks, is the moment you can STILL get phished. But in 90% of the cases, the autofill will HELP you avoid getting phished.

What an absolutely bananas thing to say, that autofilling passwords make people more susceptible to phishing, completely wrong and borderline harmful to spread things like this.

3 comments

embedding-shape

Reply
esseph  2 days ago

It can also not "break", autofill your credentials, and in submission the data ends up going to the attacker (see my other comment on DOM-based clickjacking)

  • embedding-shape  2 days ago

    This?

    > The new technique detailed by Tóth essentially involves using a malicious script to manipulate UI elements in a web page that browser extensions inject into the DOM -- for example, auto-fill prompts, by making them invisible by setting their opacity to zero

    The website is compromised, all bets are off at that point. Of course a password manager, regardless of how good it is, won't defeat the website itself being hacked before you enter your credentials.

    That's not a "hijack of autofill", it's a "attacker can put whatever they want in the frontend", and nothing will protect users against that.

    And even if that is an potential issue, using it as an argument why someone shouldn't use a password manager, feels like completely missing the larger picture here.

    • esseph  2 days ago

      I never said someone should not use a password manager.

      I'm pointing out that password manager autofill can be used in an attack without the person's knowledge.

      The site itself does not have to be compromised btw, this could come through the device itself being compromised or a poisoned popup on a website without referrer checks. There are probably quite a few ways I haven't considered to be able to get this to work.