• towerful@programming.dev
    link
    fedilink
    English
    arrow-up
    14
    ·
    9 months ago

    If someone was able to spoof an https domain that wasnt flagged by a modern browser, then that entire company has been breached. Because the attacker has access to their certificate or supply chain.

    Or the attacker has loaded their own CA certs into your browser/OS, so it automatically trusts these self-signed certs. In addition, they would also need to intercept DNS requests to replace their own malicious IP address, or NAT redirect the real IP to their malicious IP. Both of which mean your computer has been compromised, and your network/isp has been compromised.

    Or a trusted CA private key has been cracked. And the attackers can intercept DNS, or NAT redirect. In which case a huge chunk of the internet is probably fucked until OS/browsers can push an emergency revocation update.

    Maybe the website has an XSS vulnerability or similar. Im always surprised to read about those still happening in 2024, but i guess it still happens.

    The article linked still needs the above, or to be a super untrustworthy website that you are entering details into which is trying to extract these details from you.
    Considering that article was 7 years ago - and considering bitwardens reputation - i imagine they have mitigated the possibility of autofilling inputs that are not actually visible on the screen.

    Luckily, they have also thought of possible further vulnerabilities like this.
    The autofill is disabled by default.
    It reads like it only autofills associated credentials when you select a credential (so wont also fill in addresses and stuff if you select a login identity, unless you specifically select an address identity to autofill with).
    And it has an options to autofill when you focus into a form element, or only if you click the injected bitwarden icon on a form element.

    I imagine its safer to not use such conveniences. But security is always a balance against convenience. Luckily, it wont impact unsuspecting users. And i trust bitwarden to have done this sensibly, so im going to try it for a while