Major password managers can leak logins in clickjacking attacks (www.bleepingcomputer.com)

submitted 1 week ago by leo@lemmy.linuxuserspace.show to c/news@lemmy.linuxuserspace.show

21 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[-] subignition@fedia.io 3 points 1 week ago

I think I meant to reply to the user who was talking about KeePass. If you have brought the user to a malicious page, you can already just impersonate the login form and something like KeePass that doesn't offer to autofill passwords will be none the wiser (because the user initiates the paste / autotype)

In the XSS case, I think this would be occurring on a page the user trusts but has been compromised by an external script (via an ad or other means). If it's at a domain the user has saved credentials for, odds are high it's a login page, but I think you're right that an attacker could probably add their own input field to provoke the password manager overlay, with an innocuous-looking fake captcha or cookie banner over it.

this post was submitted on 21 Aug 2025

52 points (100.0% liked)

Linux and Tech News

2171 readers

1 users here now

This is where all the News about Linux and Linux adjacent things goes. We'll use some of the articles here for the show! You can watch or listen at:

You can also get involved at our forum here on Lemmy:

User Space Forum

Or just get the most recent episode of the show here:

The Show

founded 2 years ago

MODERATORS

leo@lemmy.linuxuserspace.show