Security of chrome login manager compromised
-
The demo was able to sniff out my Username and the password.
Vivaldi: 1.14.1047.3 (Official Build) (64-bit)
Win10 Home -
Thanks for sharing.
Windows 10 (x64) | Anniversary Update
Vivaldi Stable · SnapshotVivaldi Reset and Back up
-
As posted in Opera's forums - Presto didn't do this. You had to click a button or press a keyboard shortcut to login. Note this is not the same as Autofill; if you had set your email address to be auto-filled for forms named "email" then it would be. Know what you're telling your browser to do for you...
-
@gwen-dragon
note well that this is a typical issue of the new browsers that Vivaldi departed from. In the name of "hazzle-free" the the click-cattle shouldn't be distracted by prompts when producing data for tracking.
So I do NOT think Vivaldi devs can just rely on whatever Chromium does. I think they have to see whether the solution lives up to Vivaldi's values. The remark of @sgunhouse goes exactly in that direction IMHO. -
Actually Presto didn't require an extra click - one click would fill it in and submit it, while on current browsers you still have to click Submit.
-
Clean test on latest Snap and Stable.
Still happens!
.. -
@raed i wouldn't be so harsh, i'd say don't use poor pasword managers like vivaldi/chrome/firefox builtin. good password managers are must as they ensure unique complex passwords for huge number of various services average person use. humans simply suck at generating randomness and complexity and after 1 or 2 changes, they tend to use the same password everywhere.
-
-
I use Keepass and just allow few passwords on the browsers.
Innocuous services shares passwords.
-
-
@MaxKarlErnst said in Security of chrome login manager compromised:
@Zalex108 said in Security of chrome login manager compromised:
I use Keepass
The best
Keeweb works nice too.
-
Vivaldi 3.7.2218.52 (Stable channel) (x86_64)
Still not fixed. Still unsecure. -
@Gwen-Dragon , same in Android?
-
@Gwen-Dragon
Disable autofill of logins as shown in https://forum.vivaldi.net/post/183636 and all is fine
Yeah, sure, thanks. I did this already. But shouldn't Vivaldi fix this anyway ?
-
@pachacroute , of course, although apparently it is easy to fix it yourself in flags.
-
I agree.
Send the devs a bug report about a security issue. they can decide if they enable the flag next versions.Report to bug tracker and leave VB-xxxx number here, so i can confirm internally easier.
Done. Bug report VB-78890
-
@rigo said in Security of chrome login manager compromised:
Hi all,
Gunes Acar, Steven Englehardt, and Arvind Narayanan have discovered a vulnerability of the login managers. Vivaldi is just using the chrome manager and is vulnerable.
This is used for tracking at the moment. See the article on FTT:
https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/
I did the test (with latest snapshot - browser and they were able to spot my test-email:
https://senglehardt.com/demo/no_boundaries/loginmanager/It would be great to fix this in Vivaldi. I think what is needed is one more level of interaction before sending the autologin. This avoids the exploit by hidden forms.
I tried the test with the second page linked. The exploit worked with Vivaldi and Slimjet (both chromium browsers) but did not work with Brave (another chromium browser), Safari, Pale Moon or SeaMonkey.
-
@Streptococcus Turn autofill off in vivaldi and then try again.
-
@Streptococcus ,do what @Priest72 says
-
@Catweazle same here with chrome://flags/#fill-on-account-select enabled it is fixed, like @Gwen-Dragon suggested 2 years ago. But it is still a vulnerability for passwords that have been hanging around for 2 years without being fixed in the mainstream code. Let's hope that for Floc they will follow their announcements more consequently. And no, Vivaldi users will click another time if this is needed to be safe. That's why they are using vivaldi, not chrome.