That applies to any business. Your one-developer rhetoric is a logical fallacy.
I didn't hear about that, and I had to google it. I'm reading the blog now and yeah. I'm happy to see they're quite on the uptake on this and are dealing with it.
Clickjacking vulnerability is far worst than being discussed. Not the best similar example but like ad blockers and YouTube website video ads on a Mac or PC. Not even close to the same thing but my point is difficult to stay ahead of sometimes for developers. Thankfully there is more than one or even two developers with at least half of programs / apps.
Well, it won't even do the part where it puts it into the fields without me agreeing. I have to select the box and select the account I want to use...but I would have to know the site is compromised...
Did you get a response to this? On the verge of moving to apple passwords with access app and proton pass as a backup for cross platform use.
I did.
Update on this. I researched this pretty thoroughly and I think you are spot on. I switched to 1password over this (which I never said I would do once they went subscription). Thank you for bringing it to my attention.As you click on "Accept cookies" or close an advertisement popup, you don't realize you're actually clicking on the various locations in the Bitwarden widgets, selecting an offered entry. Toth points out that it is easy for the malicious code to move the add-on's hidden widget to keep it strategically placed under where you're clicking. So, unless Bitwarden is preventing their widget from being hidden (so that you know you're clicking on it), there is a risk.
1Password's designers just assume that someone will eventually figure out a new way to hide an add-on's widget. So instead 1Password offers you the option to turn on a confirmation dialog. The confirmation dialog that 1Password triggers is not running within the web rendering engine at all. It can't be hidden by malicious code on the web site. My understanding is that when that dialog pops up, all execution within the web page is suspended until you respond to it. The extension's web elements trigger code which probably calls this:
Window: confirm() method - Web APIs | MDN
window.confirm() instructs the browser to display a dialog with an optional message, and to wait until the user either confirms or cancels the dialog.developer.mozilla.org
I haven’t a clue what you checked, but Codebook hasn’t changed. Secret Agent, which is what I guess you mean by “mini assistant”, is still there, as is manual sync over WiFi.
Thanks for double-checking me on that. I am also bothered by subscriptions and try to avoid them. I understand the subscription comment was only a minor point you made, but I'll take that as an opening
Also a great point as even Bitwarden has nothing anywhere that I could find in regard to clickjacking. I guess the higher cost does indeed help.Thanks for double-checking me on that. I am also bothered by subscriptions and try to avoid them. I understand the subscription comment was only a minor point you made, but I'll take that as an opening
In the case of a password manager, I want to pay regularly.
I want a password company that invests heavily in constant research into the risks and security techniques to address those. I feel like I'm paying for more than a license to their software. When I give them money, I feel I'm paying for the research that will be applied to the next release. The worst thing I can imagine is a small software shop where the developers have to have other software jobs to make enough money.
Much of the work they do will have no concrete output, but I still want it done. They have to go to conferences, exchange ideas with their security peers in the industry, evaluate changing operating environments (OS, browser), and evaluate new threats. They also have to invest heavily in communication through posts and heavy forum participation.
Security professionals aren't cheap. This is not commodity software they're writing.
Other people are more casual. It would take a lot of definitions and study to determine whether being casual is good enough or what level of casual is optimal. A very casual attitude towards passwords might be incompatible with paying for password management at all. I'm not casual and I think about the nightmare of a password breach a lot.
BitWarden offers a version of their software for free. I only trust it because I know the company makes money from their paying subscribers. I hope people who can easily afford to pay don't just use the free version; someone has to fund the constant work.
And it really isn't that much at this point compared to some others.Per Toth (https://marektoth.com/blog/dom-based-extension-clickjacking/) who found the clickjacking vulnerability, it is fixed in Bitwarden.Also a great point as even Bitwarden has nothing anywhere that I could find in regard to clickjacking. I guess the higher cost does indeed help.
Interestingly, you trust Bitwarden but seem to distrust Codebook. However, at least until the latest updates, Codebook was more secure to use than Bitwarden or 1Password, as Codebook has never used browser plug-ins.
As you know, concerns were expressed earlier in this thread about browser plug-ins, and those fears have now been realized with the clickjacking problem. In contrast, I have never heard of any issues with the Apple’s Password AutoFill.