In response to a query from The Daily Swig, Bitwarden confirmed that the issue had been resolved through a recent pull request. This can be done in many ways, but one way is to check self.origin of a page and refusing to fill in credentials if self.origin is ‘null’,” according to the Google advisory. “Password managers should check whether content is sandboxed before auto-filling credentials. Other password managers (including LastPass, 1Password, and Google Chrome’s password vault technology) avoid this mistake, said Google.
The security shortcomings outlined by Google mean that the vulnerable password managers auto-fill credentials into untrusted pages, without first requiring users to enter their master password.Īn advisory from Google explains that the issue arises in two scenarios: where web pages have a CSP ( content security policy) sandbox response header or where forms are inside a sandboxed iframe.Īuto-filling by password managers should not happen in either scenario but the affected applications all fail in this regard when encountering sandboxed content.
BITWARDEN SAFARI UPDATE
The Daily Swig has asked Apple to comment and we’ll update this story as and when more information comes to hand.Ĭatch up with the latest cybersecurity research news The status of any fix for Apple’s Safari built-in password manager remains unconfirmed at the time of writing.
BITWARDEN SAFARI SOFTWARE
The team from Google went public with their findings on Tuesday (17 January), 90 days after notifying the applications – Dashlane, Bitwarden, and the built-in password manager bundled with Apple’s Safari browser – of the vulnerabilities.īoth Dashlane and Bitwarden have updated their software although Dashlane, at least, remains unconvinced that the bug represents any kind of security threat. UPDATED Security shortcomings mean that multiple password managers could be tricked into auto-filling credentials on untrusted pages, security researchers at Google warn. Dashlane, Bitwarden, and Safari all cited by Google researchers
0 kommentar(er)
