Security of chrome login manager compromised
-
@Gwen-Dragon , same in Android?
-
@Gwen-Dragon
Disable autofill of logins as shown in https://forum.vivaldi.net/post/183636 and all is fine
Yeah, sure, thanks. I did this already. But shouldn't Vivaldi fix this anyway ?
-
@pachacroute , of course, although apparently it is easy to fix it yourself in flags.
-
I agree.
Send the devs a bug report about a security issue. they can decide if they enable the flag next versions.Report to bug tracker and leave VB-xxxx number here, so i can confirm internally easier.
Done. Bug report VB-78890
-
@rigo said in Security of chrome login manager compromised:
Hi all,
Gunes Acar, Steven Englehardt, and Arvind Narayanan have discovered a vulnerability of the login managers. Vivaldi is just using the chrome manager and is vulnerable.
This is used for tracking at the moment. See the article on FTT:
https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/
I did the test (with latest snapshot - browser and they were able to spot my test-email:
https://senglehardt.com/demo/no_boundaries/loginmanager/It would be great to fix this in Vivaldi. I think what is needed is one more level of interaction before sending the autologin. This avoids the exploit by hidden forms.
I tried the test with the second page linked. The exploit worked with Vivaldi and Slimjet (both chromium browsers) but did not work with Brave (another chromium browser), Safari, Pale Moon or SeaMonkey.
-
@Streptococcus Turn autofill off in vivaldi and then try again.
-
@Streptococcus ,do what @Priest72 says
-
@Catweazle same here with chrome://flags/#fill-on-account-select enabled it is fixed, like @Gwen-Dragon suggested 2 years ago. But it is still a vulnerability for passwords that have been hanging around for 2 years without being fixed in the mainstream code. Let's hope that for Floc they will follow their announcements more consequently. And no, Vivaldi users will click another time if this is needed to be safe. That's why they are using vivaldi, not chrome.
-
@rigo , for this same reason it is advisable to change passwords from time to time, especially after the problem is fixed.
-
@Catweazle I have a GPG crypted text file with over 100 passwords for all the things I do online. Because those wallets have failed so many times. And if one uses good passwords, no need to change them often unless you hit such a hidden vulernability. Studies have shown that if password change was enforced, people started to use systematic password creation algorithms that make the passwords much more vulnerable. Of course, I'm not using the same password for all sites.
-