This could hack your password manager

This is my favorite security channel on YouTube. No bluster or BS. Just straightforward useful information.

marcjacobson

This brings up an interesting point. Password managers & security apps are marketed to the average person, but the average person may not have a security-first mindset. You may think you’re safe because you’ve got a fancy password manager but if you’re not following good OpSec, then you’re just as good as Brenda who leaves her password on a sticky note at her computer.

EnergeticGiraffes

Solution: Having 2FA on the password manager, so that even if they have the password they will need the code to login, or just use the app not the extension, like the bitwarden app for example.

noobando

Very interesting approach, using the API and simulating the original extensions make it really hard to avoid

miklanglo

It doesn’t even have to be a new extension you installed. A while back, an extension that I had been using for years was sold to someone sketchy and a simple automatic update installed a new version that had a bunch of sketchy behavior. I immediately uninstalled it, but it could have easily been super malicious and done something like what you described here.

FreakyRufus

It's way better to have a password manager app that doesnt connect to the internet, waaay less risky than one integrated into the bowser

dante

Extensions have soo much more power.

They can inject html, js into any website (ex: if it advertise itself as a ad blocker).
It can easily inject a key logger into any sign in page and get the credentials.

haithem

For example KepassXC uses native window to open database.

x-user

I bought bitcoin in 2011, had to change my name. Had several people try to sim swap me. Had to take many precautions it's actually wild. Makes me think how much 'fun' kids are having these days on people completely oblivious they've been compromised.

bicink

The The Ship of Theseus analogy doesnt really make sense but I get what you were going for lol

kleeenco

Clearly ad blocking is the bigger problem -Google

noraonchair

To all the dingdongs in here going "muh pen and paper": People, *ONE* security vulnerability from installing sketchy extensions (which you should treat like installing any other software) does *NOT* override the fact that password managers are unquestionably better than storing passwords in any type of plaintext, including handwritten plaintext.

ElectricHellKnight

This is why my password manager requires a security key

person-fykd

Thats insane that a browser would let an extension have permission to mess with the built in password manager at all.

ItzVioletPanda

Best security channel on YouTube without a second thought. I have a request about malware testing- could you try to do Redeye Ransomware VS Windows Security?

GoofBean

Like if I have set a pin in bitwarden then that polymorphic extension will only get the pin and not the master password. So, bitwarden is safe that way ! Awesome work and videos ❤

amankumargupta

It’s a must have to use an Authenticator for your password manager, if it detects an unknown device it would ask for the authy code essentially locking out ppl even if they knew your password, unless ofc they have access to your device

Synicaly

A good solution for this is using multiple browsers. I use Edge at moderate security to access most sites. But I access sensitive sites only using Firefox with max security and no extensions.

daviddouglass

I was really surprised when I saw how this channel has grown, then again I am not surprised, as it is basically the only helpfull security channel. Please stay like this.

nixxblikka

Don't worry, with the new manifest v3, that's being made just for our security, it's gonna be fixed in no time! Wait...

etaspirit