undefined | Better HN

0 pointsoefrha5y ago0 comments

> https://blog.lastpass.com/2019/09/lastpass-bug-reported-reso...

That’s a clickjacking vulnerability. Gp post discussed why UI should be out-of-DOM.

> https://www.csis.dk/newsroom-blog-overview/2021/moserpass-su...

I’m not familiar with the password manager here, but that's a CDN compromise causing auto-update to download a malicious dll. Of course voluntarily installing malicious code is a game-over scenario unrelated to the discussion, and I’m not even sure there’s a browser extension involved here. What’s the point you’re trying to make?

0 comments

4 comments · 2 top-level

CyberRage5y ago· 2 in thread

The point is(just gave a couple of examples for issues in the past related to web based PM's) that extensions have tremendous attack surface and lots of complicated little things you have get perfectly right.

kbuck made it seem like there's just a single issue here that can be avoided. that's not true.

oefrhaOP5y ago

Program binary delivery CDN compromise is completely orthogonal to whether the password manager is "web based". Upon some cursory research, the compromised Passwordstate thing is an on-prem enterprise solution, the upgrade package compromised looks like an asp.net application meant to be placed on a server. I guess you can call it compromise of a web-based password manager... But you can compromise native programs the exact same way if you get ahold of the update CDN. Using it as an example is weird.

CyberRage5y ago

I see, definitely valid criticism. Cannot edit my comment now.

My point wasn't the specific incident that was linked but more about the fact that updates are a threat for extensions as they update automatically without user input

CyberRage5y ago

Just to prove my point that extensions have a wide attack surface.

authentication bugs:

https://blog.lastpass.com/2017/04/lastpass-2fa-bug-reported- resolved/

Information leaking bugs:

https://hackerone.com/reports/337189

server side bugs, rogue updates(all extension are auto-update by default), breaking security boundaries and more.

j / k navigate · click thread line to collapse