Comment by esseph
1 day ago
It can also not "break", autofill your credentials, and in submission the data ends up going to the attacker (see my other comment on DOM-based clickjacking)
1 day ago
It can also not "break", autofill your credentials, and in submission the data ends up going to the attacker (see my other comment on DOM-based clickjacking)
This?
> The new technique detailed by Tóth essentially involves using a malicious script to manipulate UI elements in a web page that browser extensions inject into the DOM -- for example, auto-fill prompts, by making them invisible by setting their opacity to zero
The website is compromised, all bets are off at that point. Of course a password manager, regardless of how good it is, won't defeat the website itself being hacked before you enter your credentials.
That's not a "hijack of autofill", it's a "attacker can put whatever they want in the frontend", and nothing will protect users against that.
And even if that is an potential issue, using it as an argument why someone shouldn't use a password manager, feels like completely missing the larger picture here.
I never said someone should not use a password manager.
I'm pointing out that password manager autofill can be used in an attack without the person's knowledge.
The site itself does not have to be compromised btw, this could come through the device itself being compromised or a poisoned popup on a website without referrer checks. There are probably quite a few ways I haven't considered to be able to get this to work.