It wouldn’t know how to deal with “unusual” URL schemes, so for data:text/html,foo/:// or about:blank#:// it would return as the host name. There was one more issue: the function hostFromString() used to extract host name from URL when saving passwords was using a custom URL parser.
But at least there will be some warning flags for the user along the way…
Remembear extension password#
And will be able to retrieve the password later if the user triggers AutoFill functionality on their site. But instead of saving that password for it will store it for. So if in Chrome embeds a frame from and the user logs into the latter, RememBear will offer to save the password. While AutoFill doesn’t use window.getOriginUrl(), saving passwords does. It contains the list of origins for parent frames, so this function will return the origin of the parent frame if there is any – the URL of the current document is completely ignored. IsRememBearWebsite () ĭon’t know what does? I didn’t know either, it being a barely documented Chrome/Safari feature which undermines referrer policy protection. The following function was responsible for recognizing privileged websites: In case of RememBear, things turned out to be easier however. via an all too common XSS vulnerability) will give attackers access to this functionality. This is generally an issue, because compromising this website (e.g. Password managers will often give special powers to “their” website. I also couldn’t fail noticing a bogus security mechanism, something that I already wrote about. Security-wise the tool doesn’t appear to be as advanced however, and I quickly found six issues (severity varies) which have all been fixed since.
Technically, it is very similar to its competitor 1Password, to the point that the developers are being accused of plagiarism. And occasionally I’ll take a closer look at the tool, which is what I did with the RememBear password manager in April. Can't get discontinued either, even if the Strongbox app suddenly disappears, you can always just use a different app compatible with the same password encryption file type.Whenever I write about security issues in some password manager, people will ask what I’m thinking about their tool of choice. Might be a little bit of reading up to understand how/what all that means in practice at first, but afterwards you're only additional responsibility is that of safeguarding/backing up your encrypted password database file just as you would any other personal, financial, or other important documents. That said, Keychain is probably is as close you can get to that without having complete autonomy over everything.
Especially not when you can easily manage it yourself with open source, encrypted file formats designed specifically for this purpose. There's absolutely no technological justification that would make that a reasonable thing to do in and of itself. Not affiliated with Strongbox, but from a developer's perspective it pains to me think that most people are just willing to say "ok, here are all the keys that secure virtually my entire life". Strongbox is just a well-designed front end interface to your encrypted password database. Native like keychain but using open source, self-hostable password management encryption/storage software.
0 kommentar(er)
