Def Con 26 reveals security vulnerabilities with password managers: Passman webextension affected?

[zenlord]

Title says it all. More info on the specific findings of the hackers: https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Thanh%20Bui%20and%20Siddharth%20Rao/

If I understand it correctly, the exploit would not work if the communication between the server and the client is encrypted on both ends, as this would make it impossible to benefit from inter-process eavesdropping.

Same question is relevant to the Passman Android app, but I will post this question only here.

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[WHGhost]

An attacker would have to have remote code execution on the targeted machine to execute this attack, so as long as keep yours clean, you are safe. Beside that, the attacks described in the paper targets inter-process communication (IPC) between the desktop app of the password manager and its extension inside the browser's process, but Passman has no desktop app and communicates directly with the Nextcloud/Owncloud instance over HTTPS (if one didn't make the mistake to let his/her instance use HTTP). However, modern web browsers use different processes to separate javascript, rendering, networking etc... The attack may happen here, but the issue would come from the web browser, and therefore they are the one to be examined/audited, not Passman itself.

[zenlord]

OK, thx for confirming!