How do you think Bitwarden could have handled this better?
An allowlist of domains where iframe autofill is allowed, pre-populated with some vetted examples like apple/icloud mentioned in the article?
At what point do user options trump accessibility? I tell my parents to use Bitwarden because it's more secure than their alternative (plaintext in Google Doc) but they have no idea what an iframe is or how to spot one. If I taught them they'd never remember because it something so seldom used. Password managers are written for an audience much larger than us. Such an option as suggested would be useless to them.
- odds of arbitrary malicious iframe being on login page seems vanishingly small, especially when a compromise of the login page is probably necessary before the iframe can be injected. How often can an iframe be injected but not arbitrary js?
- iframes having autofill should definitely be a sub option on such a feature.
Either way, also curious about other password managers and their behaviors here. TFA doesn't go into that, seems like a big omission.
[+] [-] suprjami|3 years ago|reply
An allowlist of domains where iframe autofill is allowed, pre-populated with some vetted examples like apple/icloud mentioned in the article?
At what point do user options trump accessibility? I tell my parents to use Bitwarden because it's more secure than their alternative (plaintext in Google Doc) but they have no idea what an iframe is or how to spot one. If I taught them they'd never remember because it something so seldom used. Password managers are written for an audience much larger than us. Such an option as suggested would be useless to them.
Maybe Bitwarden made the right choice here?
[+] [-] MisterKent|3 years ago|reply
- odds of arbitrary malicious iframe being on login page seems vanishingly small, especially when a compromise of the login page is probably necessary before the iframe can be injected. How often can an iframe be injected but not arbitrary js?
- iframes having autofill should definitely be a sub option on such a feature.
Either way, also curious about other password managers and their behaviors here. TFA doesn't go into that, seems like a big omission.
[+] [-] ghostpepper|3 years ago|reply
It's pretty common to inject credit card skimmers into checkout pages - why would login pages be any different?
[+] [-] pieter_mj|3 years ago|reply
[+] [-] mananaysiempre|3 years ago|reply
[+] [-] sha-3|3 years ago|reply
[+] [-] pieter_mj|3 years ago|reply
[+] [-] derkades|3 years ago|reply