this post was submitted on 19 Jul 2025
443 points (92.5% liked)

Technology

72957 readers
2870 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
443
Password manager by Amazon (lemmy.world)
submitted 1 day ago by kokesh@lemmy.world to c/technology@lemmy.world
146 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] gaylord_fartmaster@lemmy.world 0 points 14 hours ago (1 children)

Someone manages to maliciously sneak username and password fields onto a site that store what is entered as soon as it's typed. They don't even have to be visible to the user and bitwarden will fill them in as soon as the page loads.

[–] Serinus@lemmy.world 5 points 14 hours ago (1 children)

Bitwarden will only autofill if the domain matches.

[–] gaylord_fartmaster@lemmy.world 2 points 12 hours ago (1 children)

Right, "maliciously sneak", as in they've either gained access to make changes to the site ditectly, or they've found a way to inject their scripts to steal creds.

[–] Serinus@lemmy.world 2 points 12 hours ago* (last edited 11 hours ago) (1 children)

And how is that any different from not having a password manager?

Yes, if someone hijacks a domain they can get credentials intended for that domain. A password manager doesn't make a huge difference here, because why would they make the site look any different than normal?

[–] gaylord_fartmaster@lemmy.world 0 points 12 hours ago (1 children)

They don't even have to be visible to the user and bitwarden will fill them in as soon as the page loads.

I guess you didn't read most of the comment.

[–] Cocodapuf@lemmy.world 2 points 3 hours ago* (last edited 3 hours ago)

No, he did, here's where the confusion is.

Serinus is asking if the site in question needs to be compromised. In other words, can the attacker compromise a random site to fool your password manager into entering credentials for Gmail.com, or does the attacker have to compromise Gmail.com to do that?

Because those two attacks are very different levels of complexity.

And frankly, if someone compromises the site you're actually trying to visit, there's simply no defense against that at all.