This repository has been archived by the owner on May 27, 2019. It is now read-only.
[SECURITY] Credential leak vector #230
Comments
erayd
added a commit
to erayd/browserpass
that referenced
this issue
Mar 22, 2018
This was referenced Mar 22, 2018
maximbaz
pushed a commit
that referenced
this issue
Mar 22, 2018
- Credentials are now discarded immediately as soon as the tab has loaded - Credentials are not supplied to any model login that occurs after the tab has loaded - If the domain requesting credentials is not the same as the domain that was launched, the user will be asked if they really want this.
|
Fix merged in 2.0.16, it is published in both webstores now. |
|
@maximbaz Thanks very much - I really appreciate your speedy review and merge to help get my mess cleaned up quickly. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
#224 introduces a credential leak via HTTP basic authentication.
In order for credentials to leak, all of the following conditions must be true:
If all those are true, then the credentials of the launched site will be invisibly provided to the modal authentication request.
This scenario can occur in two ways:
I apologise for this oversight - this is my fault. I will submit a PR that fully closes this vector ASAP, and within the next 24 hours.
In the meantime, in order to avoid the vulnerability, users should not launch sites via the browserpass extension unless they know that a basic auth request will occur before they navigate away from the site, or they should ensure that any navigation away from a browserpass-launched site occurs in a different tab.
The text was updated successfully, but these errors were encountered: