3

I had a situation where I clicked an email link send to me by a financial institution. The link first sent me to their login page where my chrome password extension automatically filled in my username and password. Usually I would never enter any passwords in a site that I arrived at via email link but the password manager already filled them in. I didn't submit them, but I'm sure a scam site would already have scraped my credentials long before I submit.

Has the password manager done enough due diligence in verifying that this is indeed the correct site?

In this case, the password manager what chromes built-in, but I'm curious how other password managers verify the site as well.

Improve this question
2
  • All they do, and all they need to do, is to match the domain. Commented Nov 22, 2021 at 20:57
  • @schroeder - Does that mean I can rely on my password manager as a de facto way of verifying links in emails? Commented Nov 22, 2021 at 21:10

2 Answers 2

Reset to default
3

They validate the domain. It's an information the browser gives the extension, the extension checks its database to see if that domain have saved credentials, and only autofills it if there's an entry on the database.

There were some cases when a password manager got tricked into providing credentials to the wrong domain, but those cases are rare and they get fixed pretty fast. Those cases make some people believe that a password manager is not secure and prefer to use they own password storage, but I disagree. A password manager cannot be fooled by Homograph Attacks, but people can.

Improve this answer
3
  • One example of a password manager being tricked. Commented Nov 23, 2021 at 14:48
  • Sure, password managers aren't absolutely bug-free, but even with the occasional bug they are still much more secure than the alternatives: password reuse, book with passwords, or passwords.txt on the desktop. Commented Nov 23, 2021 at 15:54
  • I agree with everything you've said here. I just wanted to point out the only example I've ever heard of. Commented Nov 23, 2021 at 16:30
2

As ThoriumBR states, yes the browser extensions should validate the domain and only fill the credentials if the domain matches.

It is way better to let the browser extension fill the credentials than using some "auto-type" shortcut that only matches the windows name to type the credentials... the latter cannot validate the domain properly and will be fooled by a website faking the <title>.

Obviously I'd say to avoid trusting unknown extensions you find randomly that are not used by many people... validate that the extensions is written by someone you deem can be trusted.

I just wanted to add that I would suggest to disable auto-fill because it might cause a different minor security issue.

Let's say you have an account on some website, and this website has, for example, a bug that let's you run some javascript included in a query parameter. Now a malicious actor could send you a link to this website that includes some code that grabs the autofilled credentials and sends them to their server.

Your browser would load the URL, the credentials get autofilled and the malicious code run and sends the credentials to the malicious actor.

In this sense it gives better security to only let the browser extension fill the credentials when you decide to do it...

Then again, in the situation described above, depending on the attack and how careful you are at looking at the full URL you may or may not still end up manually triggering the autofill, but it gives an extra step for this kind of exploit to work.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.