Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Major password managers can leak logins in clickjacking attacks (bleepingcomputer.com)
11 points by elric 6 months ago | hide | past | favorite | 2 comments


I'm confused about how this can actually do any damage when it comes to filling in passwords. If the password manager is suggesting to fill a password then it means you're on the site that password is valid for.


As I understand it from reading the article, the sites that are vulnerable are specifically vulnerable to XSS (cross-site scripting) attacks. In other words, there are attacks from someone not affiliated with the site, and are getting the site to display things and execute scripts that shouldn't be on the site. And, presumably, these scripts will be able to send the leaked password elsewhere.

For example, say a site asked for your name and then displayed it. If the site allowed you to say that your name was "<script>console.log('XSS');</script>", and it didn't use HTML entities to encode the problematic characters, then the script would actually run on the page.

A malicious site might be able to abuse that functionality. If they convince you to click on a specially crafted link or button that sends a request to the other site, the malicious site might be able to run a script in the context of the other site that you didn't intend for it to run. That would then be a successful XSS attack, and is the kind of attack that's being mentioned here.

In this case, the attack sounds like it would leak the password that your password manager might autofill.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: