Something like this might be worth recommending if you believe a great part of your audience use this. In most solutions it is possible to disable either subdomains or Autofill in general on a case-by-case basis. This attack vector becomes increasingly important when password managers grow in usage, especially if you are building a service that targets people within the tech industry. Some disabled autofill for subdomains that never have been autofilled before, other use a blacklist of paths/domains that should not be autofilled (this approach obviously does not take into consideration every site), but multiple do not do anything to prevent it. How password managers have protected against this varies greatly. If anyone can register a blog and edit their HTML-theme, they could put up a form harvesting passwords intended for /dashboard. Another common example are blog platforms where each user has their own subdomain, such as. One example is when user-uploaded files end up at. There are websites out there where you can put user-generated content on a subdomain. This is convenient, but potentially leads to a few security issues. If it is going to autofill your password on it will do so on or bob.as well. SubdomainsĪs a general rule, password managers do not seem to discriminate whether it is a subdomain or not. Some have it enabled by default, and others who likely do not have it as an option in Settings. Some even have Autosubmit, meaning the password manager will even submit the form so the user never has to see it. Autofill, a requirement for most issuesĪ lot of password managers have an Autofill feature enabled by default, which is a requirement for most of the problems that follow. With that said, ‘real’ vulnerabilities have been found while writing this, and chances are someone might find some on their own while reading this. Instead, it is more of a design discussion and some food for thought. This blog post will not cover any technical vulnerability that someone has assigned a CVE. They are not always foolproof, and this blog post will try to discuss some of its flaws, but they are way better than not having one. Just to make it very clear from the start: you should use a password manager.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |