@b33fpebble @jnbhlr @yassie_j personally, I think that tools like https://enpass.io work well as that they offer #AutoFill only on legitimate or rather known domains, so #Typosquatting-based #Phishing doesn't work.

Plus they don't do fully-automatic auto-filling but rather expect the user to choose the credentials in an overlay offered by the extension.

So it's not as if one can provoke logins just with an HTTP(S) request.

Even then #Enpass still demands one to enter a Password or PIN.

@utopify_org The few times I used a third-party account to login to a site I ended up having some sort of special case account that would not allow me to migrate to a real account with a different email address at a later point in time. As I have anything neatly organized in a #passwordmanager and #autofill my information anyway I prefer real accounts and apart from the effort to create those accounts manually I feel like I don't benefit from such a login service.

@jorgecandeias The iOS app I use, @IceCubesApp, and the #windows11 standard one have #autofill (1 per week) on both #people and #hashtags. Then you pick the one with the highest utilization.

For your amusement:

The autofill suggests:

1) kafka-ish. WTF, nothing is kafka-ish. Yer frickin in a miserable soul crushing dystopia or you're not.

2) kafka-pot. Which sounds like:
a) something you try and cook your your dinner in but gets immediately consumed by the global elite
OR
b) a strain of weed you need when your life gets too kafka-esque.

#kafka #weed #autofill #autocomplete

Welp!

Now what?!

Don’t use autofill on your password manager—especially if it’s Bitwarden https://www.pcworld.com/article/1656351/dont-use-autofill-on-your-password-manager-especially-if-its-bitwarden.html

#PasswordManager #Autofill #Bitwarden #InfoSec #TechNews

#Flashpoint noticed a #vulnerability with #Bitwarden browser extension in the way it interacts with embedded #iframes in webpages.

The vulnerability comes down to Bitwarden's #autofill behavior as well as the default #URI matching (set by default to base domain, i.e. top-level and second-level domain matches).

They identify two attack vectors:

1) An uncompromised website embeds an external iframe (not sandboxed) that is under an attacker’s control and the ‘Auto-fill on page load’ option is enabled.

2) An attacker hosts a specially crafted web page under a subdomain of e.g. a hosting provider, which has its login form under the same base domain.

Recommended actions:

1) Make sure "Auto-fill on page load" is disabled.

2) Set "Default URI match detection" to "Host" or "Exact".

https://www.flashpoint.io/blog/bitwarden-password-pilfering/

As people are discussing #AutoFill functionality of password managers, may I point you to this four years old article of mine?

https://palant.info/2018/08/29/password-managers-please-make-sure-autofill-is-secure/

As the last advise in the list, it says: “Ignore third-party frames.” Yes, I know that some (few) websites choose to be a PITA by using such frames for legitimate logins. So maybe one wants to consider combining that with a short allowlist. But autofilling in arbitrary third-party frames is just looking for trouble.

#Bitwarden flaw can let #hackers steal #passwords using #iframes

https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/

Bitwarden's credentials #autofill feature contains a risky behavior that could allow #malicious iframes embedded in trusted websites to steal people's credentials and send them to an attacker.

#passwordmanager #passwordmanagers #tech #technology #security #infosec #hack #hacking

@kubikpixel @bitwarden that's why I don't like #AutoFill...

📬 Bitwarden Sicherheit: Autofill bringt Deine Passwörter in Gefahr
#ITSicherheit #Autofill #Bitwarden #BitwardenSicherheit #Flashpoint #GitHubPages #Iframe #Passwortmanager #Zugangsdaten https://tarnkappe.info/artikel/it-sicherheit/bitwarden-sicherheit-autofill-bringt-deine-passwoerter-in-gefahr-266749.html

We have all accidentally typed a #password into a username field and had it stored by the #autofill of Chrome etc. to become visible by e.g. another user of your machine / session. How can it be that one cannot set it so that stupid behaviour is not possible? Can I set a #whitelist of autofill text that is allowed and block all others? Or do I have to block autofill completely for ever? #2Fa

We have all accidentally type a #password into a username field and had it stored by the #autofill of Chrome etc. to become visible by e.g. another user of your machine / session. How can it be that one cannot set it so that stupid behaviour is not possible? Can I set a #whitelist of autofill text that is allowed and block all others? Or do I have to block autofill completely for ever? #2Fa

Computers have spoiled people. In particular, autofill.

Library management is having a big debate right now, regarding usernames. The primary complaint is that we have lots of people with the same first names, and autofill often fills in the wrong thing.

"So pay attention when you type, and don't rely on autofill". I say.

Trust me, how I said it in my head was way worse.

With the looks I got, you'd think I'd just strangled a puppy in the meeting.

#Tech #AutoFill #UserFriendly #Computers

Ich habe seit einiger Zeit das Problem, dass im #firefox die #bitwarden Erweiterung den #autofill nicht mehr macht. Anfangs dachte ich, das wäre nur bei http so und https wäre okay. Aber es komplett unsystematisch und ich habe keine Idee warum

Dahinter steckt ein vaultwarden auf Docker….

There are some people who claim #Chomes #autofill function sucks, I like to remind such people that the autofill feature alone has 30 flags

Great Article about "The Autofill Dark Pattern":

https://www.smashingmagazine.com/2021/10/autofill-dark-pattern/

#ux #uxdesign #autofill #darkpattern #usability

Alright, time for a #introductionpost.

My name is Patrick. I work in #product at #google - more specifically on #privacy #security #trust #safety - you may have seen some of the products I get to work on with our globally distributed teams: #passwordmanager #autofill #payments #passkeys #fedcm .

I moved over to #Mastodon as many of you frustrated by its new, toxic leadership.

Outside of work, I'm a #dad of three, #climatewrangler as a local politician and councilman, #runner and #coffeeaddict

Stealing passwords from infosec Mastodon - without bypassing CSP

#infosec #mastodon #garethheyes #vulnerability
#html #sourcecode #devtools #autofill #glitchfork

https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp

more #autofill fun!

#Zrythm #DAW

Google tests biometric authentication for Android autofill - Google is testing out a feature to make Android's built-in password manager safer. more: https://nakedsecurity.sophos.com/2020/01/14/google-tests-biometric-authentication-for-android-autofill/ #operatingsystems #passwordsecurity #passwordmanager #badpasswords #biometrics #autofill #android #google #mobile