It wouldn’t know how to deal with “unusual” URL schemes, so for data:text/html,foo/:// or about:blank#:// it would return as the host name. There was one more issue: the function hostFromString() used to extract host name from URL when saving passwords was using a custom URL parser. ![]() But at least there will be some warning flags for the user along the way… And will be able to retrieve the password later if the user triggers AutoFill functionality on their site. But instead of saving that password for it will store it for. So if in Chrome embeds a frame from and the user logs into the latter, RememBear will offer to save the password. While AutoFill doesn’t use window.getOriginUrl(), saving passwords does. It contains the list of origins for parent frames, so this function will return the origin of the parent frame if there is any – the URL of the current document is completely ignored. IsRememBearWebsite () ĭon’t know what does? I didn’t know either, it being a barely documented Chrome/Safari feature which undermines referrer policy protection. The following function was responsible for recognizing privileged websites: In case of RememBear, things turned out to be easier however. via an all too common XSS vulnerability) will give attackers access to this functionality. This is generally an issue, because compromising this website (e.g. ![]() Password managers will often give special powers to “their” website. I also couldn’t fail noticing a bogus security mechanism, something that I already wrote about. Security-wise the tool doesn’t appear to be as advanced however, and I quickly found six issues (severity varies) which have all been fixed since. Technically, it is very similar to its competitor 1Password, to the point that the developers are being accused of plagiarism. And occasionally I’ll take a closer look at the tool, which is what I did with the RememBear password manager in April. Whenever I write about security issues in some password manager, people will ask what I’m thinking about their tool of choice.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |