undefined | Better HN

0 pointsesseph4mo ago0 comments

It can also not "break", autofill your credentials, and in submission the data ends up going to the attacker (see my other comment on DOM-based clickjacking)

0 comments

embedding-shape4mo ago

This?

> The new technique detailed by Tóth essentially involves using a malicious script to manipulate UI elements in a web page that browser extensions inject into the DOM -- for example, auto-fill prompts, by making them invisible by setting their opacity to zero

The website is compromised, all bets are off at that point. Of course a password manager, regardless of how good it is, won't defeat the website itself being hacked before you enter your credentials.

That's not a "hijack of autofill", it's a "attacker can put whatever they want in the frontend", and nothing will protect users against that.

And even if that is an potential issue, using it as an argument why someone shouldn't use a password manager, feels like completely missing the larger picture here.

essephOP4mo ago

I never said someone should not use a password manager.

I'm pointing out that password manager autofill can be used in an attack without the person's knowledge.

The site itself does not have to be compromised btw, this could come through the device itself being compromised or a poisoned popup on a website without referrer checks. There are probably quite a few ways I haven't considered to be able to get this to work.

j / k navigate · click thread line to collapse