← Back to context

Comment by flossly

1 day ago

Never used the CLI, but I do use their browser plugin. Would be quite a mess if that got compromised. What can I do to prevent it? Run old --tried and tested-- versions?

Quite bizarre to think much much of my well-being depends on those secrets staying secret.

41 comments

flossly

Reply
zerkten  1 day ago

Integration points increase the risk of compromise. For that reason, I never use the desktop browser extensions for my password manager. When password managers were starting to become popular there was one that had security issues with the browser integration so I decided to just avoid those entirely. On iOS, I'm more comfortable with the integration so I use it, but I'm wary of it.

  • brightball  1 day ago

    The problem is that the UX with a browser extension is so much better.

    • tracker1  1 day ago

      I also find it far easier to resist accidentally entering credentials in a phishing site... I'm pretty good about checking, but it's something I tend to point out to family and friends to triple check if it doesn't auto suggest the right site.

      2 replies →

    • ufmace  1 day ago

      Importantly IMO is the extra phishing protection that the UX is really nice if and only if the url matches what's expected. If you end up on a fake url somehow, it's a nice speed bump that it doesn't let you auto-fill to make you think, hold on, something is wrong here.

      If you're used to the clunkier workflow of copy-pasting from a separate app, then it's much easier to absent-mindedly repeat it for a not-quite-right url.

    • QuantumNomad_  1 day ago

      The 1Password mobile and desktop apps have such a nice UX that I’m happy copy pasting from and into it instead of having any of the browser extensions enabled.

      I have 1Password configured to require password to unlock once per 24 hours. Rest of the time I have it running in the background or unlock it with TouchID (on the MacBook Pro) or FaceID (on the iPhone).

      It also helps that I don’t really sign into a ton of services all the time. Mostly I log into HN, and GitHub, and a couple of others. A lot of my usage of 1Password is also centered around other kinds of passwords, like passwords that I use to protect some SSH keys, and passwords for the disk encryption of external hard drives, etc.

      8 replies →

    • tredre3  19 hours ago

      > The problem is that the UX with a browser extension is so much better.

      It's better, but calling it so much better [that it's unreasonable to forgo the browser extension] is a bit silly to me.

      1. Go to website login page

      2. trigger the global shortcut that will invoke your password manager

      3. Your password manager will appear with the correct entry usually preselected, if not type 3 letters of the site's name.

      4. Press enter to perform the auto type sequence.

      There, an entire class of exploits entirely avoided. No more injecting third party JS in all pages. No more keeping an listening socket in your password manager, ready to give away all your secrets.

      The tradeoff? You now have to manually press ctrl+shift+space or whatever instead when you need to log in.

      2 replies →

  • flossly  15 hours ago

    On iOS I feel I have less control over what's running than on Linux (dont get me started on Windows or Android). So that's the order of how I dare to use it. But a supply chain attack: I'll always use a distributed program: the only thing I can do is only use old versions, and trusted distribution channels.

  • WhyNotHugo  21 hours ago

    In theory the browser integration shouldn’t leak anything beyond the credentials being used, even if compromised.

    When you use autofill, the native application will prompt to disclose credentials to the extension. At that point, only those credentials go over the wire. Others remain inaccessible to the extension.

uyzstvqs  1 day ago

We need cooldowns everywhere, by default. Development package managers, OS package managers, browser extensions. Even auto-updates in standalone apps should implement it. Give companies like Socket time to detect malicious updates. They're good at it, but it's pointless if everyone keeps downloading packages just minutes after they're published.

  • eranation  21 hours ago

    Exactly this. For anyone who wants to do it for various package managers:

      ~/.npmrc: 
  min-release-age=7 (npm 11.10+)

  ~/Library/Preferences/pnpm/rc: 
  minimum-release-age=10080 (minutes)

  ~/.bunfig.toml 
  [install]: 
  minimumReleaseAge = 604800 (seconds)

    This would have protected the 334 people who downloaded @bitwarden/cli 2026.4.0 ~19h ago (according to https://www.npmjs.com/package/@bitwarden/cli?activeTab=versi...). Same for axios last month (removed in ~3h). Doesn't help with event-stream-style long-dormant attacks but those are rarer.

    (plug: released a small CLI to auto-configure these — https://depsguard.com — I tried to find something that will help non developers quickly apply recommended settings, and couldn't find one)

  • tomjen3  21 hours ago

    I am not sure that works - imagine that the next shellshock had been found. Would you want to wait 7 days to update?

    We need to either screen everybody or cut of countries like North Korea and Iran from the Internet.

    • tadfisher  21 hours ago

      These vulnerabilities are all caught by scanners and the packages are taken down 2-3 hours after going live. Nothing needs to take 7 days, that's just a recommendation. But maybe all packages should be scanned, which apparently only takes a couple of hours, before going live to users?

    • AgentME  14 hours ago

      Shellshock was in 2014 and Log4Shell was 2021. It's far more likely that you're going to get pwned by using a too-recent unreviewed malicious package than to be unknowingly missing a security update that keeps you vulnerable to easy RCEs. And if such a big RCE vuln happens again, you're likely to hear about it and you can whitelist the update.

sph  1 day ago

> What can I do to prevent it?

My two most precious digital possessions - my email and my Bitwarden account - are protected by a Yubikey that's always on my person (and another in another geographical location). I highly recommend such a setup, and it's not that much effort (I just keep my Yubikey with my house keys)

I got a bit scared reading the title, but I'm doing all I can to be reasonably secure without devolving into paranoia.

  • ThePowerOfFuet  1 day ago

    If the software gets poisoned then your YubiKey will not save you.

    • hgoel  21 hours ago

      I think they mean to secure your most valuable accounts with a hardware token rather than in a normal password manager, so they aren't at risk if your password manager has an issue.

streb-lo  1 day ago

Use the desktop or web vault directly, don't use the browser plugin.

  • flossly  15 hours ago

    How are they clearly less susceptible to a supply chain attack?

    Maybe the web vault, but then we do not know when it's compromised (that's the whole idea); so we trust them not to've made a mess...

eranation  21 hours ago

How to prevent it?

tl;dr

- https://cooldowns.dev

- https://depsguard.com

(disclaimer: I maintain the 2nd one, if I knew of the first, I wouldn't have released it, just didn't find something at that time, they do pretty much the same thing, mine in a bit of an overkill by using rust...)

  • aftbit  17 hours ago

    Do either of those work on browser extensions that I install as a user? I don't see anything relating to extensions in there.

ffsm8  1 day ago

You should use hunter2 as your password on all services.

That password cannot be cracked because it will always display as ** for anyone else.

My password is *****. See? It shows as asterisks so it's totally safe to share. Try it!

... Scnr •́ ‿ , •̀