Git-Credential-Manager-for-Windows icon indicating copy to clipboard operation
Git-Credential-Manager-for-Windows copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Is this your bitbucket popup? How can I trust this with my password?

Open oliverjanik opened this issue 6 years ago • 8 comments

This pops up way too often on my machine. Random window at random times asking for a password.

Nope.

I'm not putting my password into random window that pretends to be Atlassian. How can I verify this is actual Atlassian website?

Ripe for phishing attack.

image

Also how do I make this go away. All my git repos work just fine, but this thing seems to need my password every 5 minutes.

oliverjanik avatar Sep 28 '18 01:09 oliverjanik

This feels similar to #751

I'm not putting my password into random window that pretends to be Atlassian. How can I verify this is actual Atlassian website?

cc @mminns

shiftkey avatar Sep 28 '18 13:09 shiftkey

If you really want to know then check that it is from Git credential manager process.

PaulDotNet avatar Sep 28 '18 14:09 PaulDotNet

Hi That is the Bitbucket GUI from the Git Credential Manager, I wrote it.

As a genuine question what would you hope to see with it that would reassure you as to what it was?

I'm guessing it is appearing due to a regular background process, perhaps from Sourcetree that is trying to work with a Bitbucket repository, but does not have valid credentials

mminns avatar Sep 28 '18 20:09 mminns

Can you perhaps open the browser so that I can verify the SSL cert?

Is it possible to just log in using git credentials? Why do I need to sign into entire Atlassian?

oliverjanik avatar Oct 01 '18 16:10 oliverjanik

GCM is great and the developers make that happen.

The issue in question seems a general/broad issue not specifically for this app.

For an application in browser, user can check the url again phishing. For an application out of browser, maybe the OS should provide something like the url, may be in the upper-left system icon down-drop menu?

nilnul avatar Oct 07 '18 08:10 nilnul

Here's the thing I work withing SourceTree or Sublime Merge or whatever and this window comes up. How do I know which app opened it? How can I trust this? If I find the window handle and trace the process It does say Git Credential Manager.

So the 2 issues are:

  1. Can you make it clear this is Git Credential Manager?
  2. Why do you need my full Bitbucket credentials? I just want to git push. I don't feel comfortable with giving you my password which has control over entire work organisation in Bitbucket.

oliverjanik avatar Oct 08 '18 06:10 oliverjanik

@oliverjanik Is it possible to just log in using git credentials? Why do I need to sign into entire Atlassian?

This dialog is just asking for your Git Credentials, for example you could use an App Password if you preferred. These credentials are the same for both Git and REST. The GCM does use the supplied credentials essentially to check they are valid before passing them back to Git.

Additionally the REST response helps determine if the account is using FA and then can direct the user through the 3LO flow to get an access token.

To clarify in case it wasn't obvious the dialog is a native window it is not opening a browser view.

mminns avatar Oct 24 '18 19:10 mminns

Ah, that makes a lot more sense. Thanks for clarification.

Can the window perhaps say Git Credential Manager? It would not look that random and it would be clear what process it belongs to.

oliverjanik avatar Oct 25 '18 23:10 oliverjanik