Definitively Not( James )

2021/08/24


An article was posted last month about the the dangers of autofill in password managers. The thought is that if there’s Cross Site Scripting (“XSS”) on the page you’re logging in and the password manager helpfully automatically fills in the password you’ll lose your password.


The point attempted by the article is not XSS on the authentication page but instead anywhere. The idea is that you create a fake form that looks like a simple login page, the password manager fills in the credentials and then deletes the form after shipping the credentials off.


So - you get the advantage of a much lower level of effort credential collection approach. This is usually for the security / ease of use tradeoff. Got it, though, let’s disable autofill globally - that solves the problem, right?


Well.. no. If you have an XSS vulnerability even without a password manager it’s already game over - you’ll be losing that password. Change the URL via the history API to be the correct URL, throw the fake login page out, collect the credential the user types in.


While it’s safer to disable autofill the question brought up is “will people use it?” If the ease of use gets folks to use different passwords between services.. it’s a security win in my book even if these new vectors are opened.