This is one way to guarantee you'll eventually fall for a phishing attack. Are we really running URL-unaware password managers in the year 2026?
There have been exploits for them in the past, it's a legitimate concern.
Deciding between the two setups is a tradeoff between one security issue and another.
Which is a legitimate concern since they are a gaping hole in security and isolation. Visiting website should be treated like phone calls from the bank. If you get called/mailed you don't follow the information there but call back / visit the site yourself e.g. from bookmarks or copy url from pw manager.
Legitimately the only reason to us the built in password managers is this tradeoff.
I work in a company where I have two okta accounts (because hey, why not) on two .okta.com subdomains.
Bitwarden _randomly_ messes up the two subdomains and most of the times (but not always, which seems strange actually), it fills the form with the wrong password. I don’t know why. I know that there is an option to make it stricter on domain matching but you can’t configure it on per item basis, only for the whole vault.
For the absolute majority of use cases, "host" should be the default, but i have found uses for both "base domain" and "regular expression" in some special cases.
Normal browser extension Bitwarden Ctrl-Shift-L autofill defaults to the most recently used entry when there are multiple matches, afaik.
I've used 1Password for years (Linux+Firefox though, FWIW), and this never happened to me or our family. I did discover though that the autofill basically went by hierarchy in the URI to figure out what to show, so if you specify "example.com" and you're on "login.example.com", you'll see everything matching "*example.com" which actually is to be expected. If you only want to see it on one subdomain, you need to specify it in the record/item.
That it ignored the subdomains fully sounds like it was a bug on your particular platform, because 1Password never did that for me, but I remember being slightly confused by the behavior initially, until I fixed my items.
Just take a look here for example: https://www.1password.community/discussions/1password/bug-su...
1Password then wrote:
> 1Password currently only suggests items based on the root domain. I can see the value of having 1Password suggest only exact matches based on their subdomain, especially for the use case you have described.
Or take a look here: https://www.1password.community/discussions/1password/sugges...
1Password then wrote:
> As it currently stands, 1Password only matches on the second level domain (i.e. sample.com in your example). While I can't promise anything, this is something we've heard frequently, so I'll share your thoughts with the team.
Now it is:
> You’ll see the item as a suggestion on any page that’s part of the website, including subdomains. The item may also be suggested on related websites known to belong to the same organization.
It's that second sentence which is the problem, they "suggested" by being "smart" items from one AWS domain which ought to have never suggested on another unrelated AWS domain.
In version 8.10 when they added Only fill on this exact host: https://support.1password.com/autofill-behavior/
Input data to the clipboard
Access your data for sites in the dropboxapi.com domain
Access your data for www.google.com
Access your data for www.googleapis.com
Access your data for accounts.google.com
Access your data for graph.microsoft.com
Access your data for login.microsoftonline.com
Display notifications to you
Access browser tabs
Access browser activity during navigation
Access your data for all websites
Talking about unknown code there is a lot of work to be done on reproducible build as anything touching web has nearly nothing about it.
And that's for me, a technical user using a password manager.
This pops up 1Password's overlay but it is still URL-aware. I find it works almost universally. It'll show you what it's going to fill: just hit Return and it'll be done.
It doesn't even care what browser you're in. Works across the lot. Of course it isn't fully integrated so Passkeys won't work.
URL-aware browser plugins for autofilling passwords can also make people _more_ susceptible to phishing.
The password managers plugins sometimes not working correctly changes the Bayesian probabilities in the mind such that username/password fields that remain unfilled becomes normal and expected for legitimate websites. If that happens enough, it inadvertently trains sophisticated computer-literate users to lower their guard when encountering true phishing websites in the future. I wrote more on how this happens to really smart technical people: https://news.ycombinator.com/item?id=45179643
Password browser plugins being imperfect can simultaneously increase AND decrease security because of interactions with human psychology.
> autofilling passwords can also make people _more_ susceptible to phishing
No, it doesn't. What it does, is generally make people _less_ susceptible to phishing, but the moment you stop paying attention when autofill breaks, is the moment you can STILL get phished. But in 90% of the cases, the autofill will HELP you avoid getting phished.
What an absolutely bananas thing to say, that autofilling passwords make people more susceptible to phishing, completely wrong and borderline harmful to spread things like this.
> The new technique detailed by Tóth essentially involves using a malicious script to manipulate UI elements in a web page that browser extensions inject into the DOM -- for example, auto-fill prompts, by making them invisible by setting their opacity to zero
The website is compromised, all bets are off at that point. Of course a password manager, regardless of how good it is, won't defeat the website itself being hacked before you enter your credentials.
That's not a "hijack of autofill", it's a "attacker can put whatever they want in the frontend", and nothing will protect users against that.
And even if that is an potential issue, using it as an argument why someone shouldn't use a password manager, feels like completely missing the larger picture here.
I'm pointing out that password manager autofill can be used in an attack without the person's knowledge.
The site itself does not have to be compromised btw, this could come through the device itself being compromised or a poisoned popup on a website without referrer checks. There are probably quite a few ways I haven't considered to be able to get this to work.
You link to Bitwarden's issues mentioning autofill and while it's true that autofill might break, if you click on the extension icon it's going to present you with a list of credentials for the current domain and give you options to quickly copy the username and password to your clipboard.
If that list is empty then I'm immediately put on high alert for phishing, but so far it's always been due to the website changing its URL/domain. I retrace my steps, make sure I'm on the right domain, then I have to explicitly search for the old entry and update it with the new URL.
That said, I've seen people do: Empty account list -> The darn password manager is misbehaving again -> Search and copy the password. I wouldn't consider those people to be sophisticated users since they're misunderstanding and defying the safety mechanisms.
So, when I'm prompted to log in somewhere, I open the password manager and repeat the steps you just mentioned. It does add extra steps to the process, but I don't think it makes it less safe than having an autofill extension, which requires a ton of permissions and is more prone to compromises. And yes, my manual method also means I have to rely on me being aware of the URLs I'm on, but I usually bookmark my main services, so it's working fine for me this way. I also treat all emails as spam and/or an attack unless I verify them by the domain, and whether I had just recently requested to log in or requested a password change, etc.
At the end of the day, it boils down to us paying attention to every action we take, regardless of the measures we take, as new and different methods are being deployed to own us every day.
Lookup Dom-based clickjacking. It will "autofill" the field but on submission it sends the data to an attacker.
"The new technique detailed by Tóth essentially involves using a malicious script to manipulate UI elements in a web page that browser extensions inject into the DOM -- for example, auto-fill prompts, by making them invisible by setting their opacity to zero.
The research specifically focused on 11 popular password manager browser add-ons, ranging from 1Password to iCloud Passwords, all of which have been found to be susceptible to DOM-based extension clickjacking. Collectively, these extensions have millions of users."
""All password managers filled credentials not only to the 'main' domain, but also to all subdomains," Tóth explained. "An attacker could easily find XSS or other vulnerabilities and steal the user's stored credentials with a single click (10 out of 11), including TOTP (9 out of 11). In some scenarios, passkey authentication could also be exploited (8 out of 11).""
More info: https://marektoth.com/blog/dom-based-extension-clickjacking/
Originally discussed at DEFCON 33
Thankfully the VOIP operator alerted me and pulled the number back. Then I set a port out code.
Who knows how many other holes I have. I lost my sense of smugness that day.
TOTP is also trivially phishable.
I still have my sense of smugness because I use SOTA 2fa.
Tangerine (formally ING Direct) in Canada only has 6-digit PINs and SMS 2FA
TD Canada Trust only supports SMS 2FA
PC Financial only supports SMS 2FA
Crappy SMS 2FA or not. Losing your number is a huge pain. Because phone numbers are treated as identity, it also allows the person who took your number to impersonate you by calling into $X service. At least in America.
Apparently it's possible to bypass 2FA and do a password reset of a Google account without email access, if the account owner doesn't abort it within 30 days. I confirmed that it works by "pwning myself" afterwards. So keep an eye on your old Gmail inbox if it matters.
Has this recently changed?
i.e -> fake news.
First-hand account.
It happens to all of us. I always tend to make sure any extension has the sources available (unless requested by work/client), but nowadays with open source supply chain attack, it's just another breakable wall. Even on linux, some long time ago, I caught a trojan (luckily to the extent of my knowledge, it didn't affect anything besides running a crypto mining on my m3 laptop)., disguised as systemd, that was spreading through kodi extensions.
I'm not going to blog about it, but will at least share how I messed up. Maybe it'll help someone else.
I was phished through Discord. A CEO that I was friends with was phished prior to me and I let my guard down when someone I put on a pedestal reached out to me. The hacker asked me to review a video game prototype they'd been tinkering with in their spare time (the CEO worked in the video game industry) and they came to me because they knew I'd give them "honest feedback." The game's website looked legit enough with AI generated screenshots and boilerplate text.
They also messaged me right around dinner. I had like ten minutes of downtime when the message came in and I immediately shifted to, "Yeah I can bang this request out real quick for a person important to me before dinner arrives." rather than keeping my guard up.
Additionally, I have (or had) two Google accounts. My primary email address is much older and wasn't very business-professional. Over 15 years ago I created a secondary email, that was just my name at gmail, configured it to forward all emails to my first account, and then never logged in to that account again. Naturally, that meant that my primary account had 2FA, but my secondary account did not.
I signed up for Discord using my secondary Google account. So, when I got phished, the hacker assumed that was my primary account and compromised it first.
The way they compromised the account was very quick and efficient. They immediately set parental controls on the account, listed an email address they controlled as the parent, and then changed the accounts age to under 13. Those actions 100% lock an account because all account recovery options must be approved by the parent for children under 13.
Surprisingly, I did get a security notification saying that a suspicion session had been started on my primary email account even through 2FA. I (thankfully) managed to kick the hacker out before they were able to do the same to me. I'm not sure how they got access to the second account.
Laughably, the hacker tried to extort me for only $400 and, when they didn't get it, they pivoted to sending threatening texts then moved on to trying to phish others for quick cash.
Thankfully, I didn't lose much. I lost access to my Discord account and to my Google account, but all my Google data was replicated. I lost a full nights sleep resetting all my passwords everywhere. And I still feel a bit violated and think I always will.
It was really interesting being motivated to interface with the security processes of several hundred companies. Shout out to Kraken and Etsy for having the best security procedures.
Anyway. Just wanted to highlight a scenario which happened. I'm in engineering leadership. I've worked on a computer every day for over 20 years. I use KeePass to store my passwords and generally have fine security hygiene. I do my KnowBe4 training modules, lol.
I downloaded and ran an executable from the website under the belief I was checking out a game prototype. My Chrome browser instance crashed the moment it ran. I re-opened Chrome, got an email about suspicious login, and immediately turned the computer off to triage on a clean machine. I knew I was hacked within moments of being hacked and was fully at my computer for it.
I'm assuming I lost access to the Google account through session hijacking / exfiltrating an active session token. That doesn't really make complete sense, though, because I wasn't logging in to that second Chrome account with any regularity. It also doesn't explain how they got access to my 2FA-enabled account. I had some thoughts there about how easy it is to click "Remember this PC" and weaken 2FA and maybe the malicious script made my machine a proxy for their actions to leverage my PC being remembered? I'm not sure how practical that theory is in practice.
or at the very least, the basic username+alias@domain.tld? this let's you know at least which thing was compromised.
of course, I don't recommend doing the same for important services like you banking accounts, but for the vast majority, having an alias would be enough.
and compartmentalisation always helps (different emails/accounts for personal, govt, and work domains).
I haven't considered looking into other email alias tools. The whole area wasn't something I had put much thought into after getting things the way I wanted a decade prior.
In email, I have used the "+" format in some situations where I'm curious if a third-party is going to leak my contact details. It's not something I use every day, but it is a useful tool, I agree.
The problem with getting a Google account hacked is that Google, by default, really wants to save your passwords for you. So, even though I keep passwords in KeePass, plenty of them ended up remembered inside Chrome, too. Once the hacker compromised the Google account I had to assume every website listed in my password manager needed to be rotated. Plus, I had to change every account that I registered using my "firstname.lastname" email - so I was basically already sold on needing to have to revisit every website I'd ever used.
The DM came from an old gaming friend of mine that actually was a developer. I’d known him for years and had playtested for him before - though it was years prior. Literally nothing about it seemed fishy.
As soon as the game “crashed on load” and Discord took its focus, I realized what had happened. I managed to change my Discord password, revoke all session tokens, and lock them out while they were buying things from the Discord store. Then I went through, changed my critical passwords, froze all the cards that are in my Bitwarden vault except one with a very low limit I kept alive as a canary, and started my post-mortem.
Turns out the malware did in fact attempt to exfil my Bitwarden vault. Thankfully, I have it configured to remain locked always and to require a security token to use, so they didn’t get anything unencrypted.
Between my initial response, analysis, dealing with changing passwords, and wiping my desktop out of an abundance of caution, I lost a total of about 12 hours. The attacker managed to buy about $60 of stuff on Discord before I shut them down there. Oh, and I got extortion messages from various accounts claiming to be them for months.
One thing that did surprise me was that while I was revoking access, they were trying to convince me they had all my credentials. They sent a screenshot logged in to my Autodesk account, of all things. That freaked me out, but I quickly realized that that particular email/password had been leaked and that the attacker was using it to try to convince me they had much more damaging information than they really did.
While quite technical users (a la. this community and devs in general) would be able to inspect the source code of browser extensions to do an audit, most of us don't have time for this, and we just have to rely on the browser add-on number of downloads & reviews as a poor indicator.
It would be really useful to know how this particular extension was rated
Unfortunately, with a brisk urge to clean it all up, I hadn't paid attention to which extension it was that got my browser compromised; I had immediately removed all extensions, cleared browser data, stopped the sync, and uninstalled it altogether (for fear of getting further compromised).
What I can say is that I have tried a number of extensions for the purpose of making a website in dark theme, for ease of reading, which weren't as popular (in terms of rating & installs), and highly likely that those were malware.
That being said, I now hesitate to even install extensions that are selected by the Google Chrome editor team. I vibe-coded a simple extension myself to use as a "dark reader", and will probably avoid installing anything anymore. I got my fair share of damage.
FWIW, I experimented with dark theme extensions (paid and free) and gave up on them after a while: it just all felt a bit too clunky and unreliable, the flashes of unstyled pages were annoying too.
I've now standardised (this is in Firefox) on a combination of:
- Reader mode
- a very simple extension that allows per-domain custom CSS…
- …and another that lets you disable Javascript completely per site (which adds a bit of security, generally improves the experience, including the side effect of removing cookie popups.)
This is a very good way of stating the problem in terms anyone can relate to.
> I had one brow raised, a little suspicious, but not very much to initiate a full-scale defense
This on the other hand seems overly superficial. You get your eMarketplace account hacked, then your Twitter account, and you're just "a little suspicious"? My eyebrows would raise all the way to the back of my head after this. Not sure I'd know where to start but I'd be very concerned.
> A few days later, the same thing happened with my TikTok and Reddit accounts. I repeated the previous steps now that I had gotten used to them. This time I raised two of my brows with a little more suspicion. Still not quite there, though.
I mean... This is an incredibly high threshold for getting concerned. The kind that lowers the bar to getting hacked.
asked him to shutdown the laptop immediately and add me to the call, to which he replied, "they sent me our postal code and told me if i told anyone or turned the laptop off, they're going to send someone to hurt me."
that's when i realized why he was panicking so much, to me who was 10 years older that was an obvious scare-tactic, he was a young, naive teenager so he was legitimately scared for his life.
was able to calm him down, he added me to the call, and turned the laptop off. i was surprised that the hackers in question were 3-4 french teenagers, incredibly rude and aggressive. they didn't care that they weren't able to ruffle my feathers, they just constantly asked for bitcoins, said they'd hurt our mom etc.
when i refused and just didn't engage they started posting our mom's tax returns and other files from her laptop, that's when i realized that they did indeed exfiltrate data.
immediately packed my bags and took the next train to meet mom and brother. we spent the afternoon rotating e-banking passwords etc.
while doing this, the hackers did try to login to her paypal and they actually got into my netflix account.
turned the wifi off at home to boot the laptop back up, wanted to try to retrace their steps. i did find out what kind of stealer they used and was able to sleaze my way into a secret discord server they used to organize, but it was temporary and they had already left. so i just wiped the laptop and reinstalled windows.
apparently these guys had promised my brother to optimize his PC so that Fortnite would run better, he let them connect via AnyConnect or TeamViewer, don't exactly remember. they did some legit debloating stuff etc., but also let a stealer run in the background. apparently these guys had spent some weeks in the discord server my brother was in to establish trust.
to this day i haven't felt as much rage again. seeing my young brother in such a distressed state, realizing that all of my mom's data, childhood pictures etc. were stolen made me angry to a point i've never felt, i legitimately wanted to find out who these guys were and hurt them as much as i could. of course we all calmed down again and realized there's nothing we could do other than rotate PWs and observe logins.
police said there's nothing they could do (didn't expect it anyways, but worth a try), discord ignored me when i reported the hacker's accounts. typing this out again makes me angry again, interestingly enough. it's been two years, almost forgot that this ever happened.
Well, losing access to both TikTok and X could be considered a bright side as well. But more seriously, isn't it tragic that you can't just blindly assume any piece of OSS isn't malware, anymore?
Funnily I always tempted by extensions that offer dark more for webpages but never dared to install one.
I do use extensions, but only if they are from well known, respected organisations.
The author was lucky that it was only few compromised social media accounts. It could easily be an empty bank account or stolen identity instead.
Someone I trusted at the time sent me a modified Legend of The Red Dragon bbs door game expansion/mod that del C:\
Learned a lot that day.
> I went on looking for one of those browser extensions that made it easier to read. [...] I had to find the perfect one, with the cleanest user interface, the best features, the most convenient, across all cases and needs.
Examining the supply chain of those extensions and whether they were open-source and reputable should have been part of the evaluation process!
Also surely there is no reason to install any "dark reader" extension aside from the canonical Dark Reader...? https://github.com/darkreader/darkreader I thought this one was very well-known. I still wouldn't recommend _using_ it, you remain at risk of upstream's supply chain being compromised, but it's at least not malicious by default.
Firefox has dark mode built into its reader view feature which works on most websites, I'd imagine Chrome can do something similar. I greatly prefer and recommend this over installing an extension.
makach•15h ago
resonious•15h ago
calgoo•12h ago