1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce
Wouldn’t the attack need to happen on a subdomain of the site they’re trying to steal credentials for? At least Bitwarden won’t suggest any credentials to autofill otherwise (haven’t tried the others)
This is why I tattoo all my passwords backwards on my asscrack
This is somewhat clever, but if you’re phished into attempting to login on a malicious page, you’ve already lost
Per the article, the attack works by making you think you’re clicking CAPTCHAs and reduces the opacity of the auto login buttons you’re actually pressing.
Yes, I read the article.
Then I guess your comment confused me because the attack doesn’t require the user to attempt to log in. Completing a CAPTCHA on a random page isn’t internet idiot behavior, it’s what we’ve been trained to expect is the norm.
I think I meant to reply to the user who was talking about KeePass. If you have brought the user to a malicious page, you can already just impersonate the login form and something like KeePass that doesn’t offer to autofill passwords will be none the wiser (because the user initiates the paste / autotype)
In the XSS case, I think this would be occurring on a page the user trusts but has been compromised by an external script (via an ad or other means). If it’s at a domain the user has saved credentials for, odds are high it’s a login page, but I think you’re right that an attacker could probably add their own input field to provoke the password manager overlay, with an innocuous-looking fake captcha or cookie banner over it.
Once again I am reminded why I always use an adblocker.
So if I just use the desktop app and not the browser extension then I’m good?
That’s what I’m getting from this too
Any insight in attacks on the browser password managers themselves?
Once again Keepass proves to be the superior solution.
Just like Craigslist; every ounce of energy out into veneer is energy not in the core product design and maintenance and also adds cost. Minimal, functional, excellent.
They tested 11 popular password managers, Keepass wasn’t one of them.
So if it wasn’t even tested for attacks that nearly every other manager fails at least 1 aspect of, then you should assume it’s not safe either.
then you should assume it’s not safe either.
Well, except that the method of exploit was involving the web browser plugin, which isn’t a thing Keepass does to begin with.
There is an extension, but it’s significantly simpler than the other providers.
I’m an idiot using bw, do we have much confidence in any means of avoiding this yet or no?
The easy-ish way is to use the desktop app, but from the article:
However, Bitwarden told BleepingComputer that the issues have been fixed in version 2025.8.0, rolling out this week.
I have pretty unserious threat model, so hopefully bw team is trustworthy enough to believe in their upcoming fix.
Many thanks Leo!
My understanding is that bitwarden is generally very well regarded by security knowledgable folks, with the most secure option being keepass synced manually, and seemingly bitwarden behind that (among popular choices)
That is my impression as a fairly non-technical casual privacy/security pursuer anyway 🤷♂️ I’m also a Bitwarden user as it’s a better balance of practicality and security for my needs and usecase
I just now did an update and Bitwarden updated. Linux Mint.
Nice, good looking out😎
