Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Password Manager. Show all posts
Password Security
Browser Vulnerabilities Cyber Threats Cybersecurity awareness Data Breach Prevention digital safety Identity Protection Online Privacy Password Manager Password Security

Why It’s Time to Stop Saving Passwords in the Browser

 


As convenience often takes precedence over caution in the digital age, the humble "Save Password" prompt has quietly become one of the most overlooked security traps of the digital age, one of the most overlooked security threats. The number of users who entrust their most sensitive credentials to their browsers each day is staggering. 

In a bid to relieve themselves of the constant burden of remembering multiple logins every day, millions of people are willing to trust their browsers. As seemingly innocent as it may seem to simplify daily life, this shortcut conceals a significant and growing cybersecurity threat that is rapidly spreading across the globe. The very feature that was designed to make online access effortless has now become a prime target for cybercriminals.

These thieves are able to retrieve the passwords stored on local computers within minutes — often even without the user's knowledge — and sell them for a profit or further exploitation on dark web marketplaces. 

By storing encrypted login information within a user's profile data, browser-based password managers can be reclaimed when needed by storing them in their profile data, automatically recalling them when necessary, and even syncing across multiple devices that are connected to the same account. In addition to improving accessibility and ease of use with this integration, the potential attack surface is multiplied. 

As soon as a single account or system has been compromised, every password saved has been exposed to attack. During an age where digital threats are becoming increasingly sophisticated, experts warn that convenience-driven habits, such as saving passwords in the browser, may end up costing the users much more than the few seconds they save at login time when they save passwords in their browser.

Even though browser-based password storage remains the default choice for many users, experts are increasingly emphasising the advantages of dedicated password managers - tools that can be used across multiple platforms and ecosystems independently. 

Many browser managers do not sync with their own environments; they only sync with their own environments, such as Google and Chrome, Apple and Safari, or Microsoft with Edge. However, standalone password managers surpass these limitations. It is compatible with all major browsers and operating systems, so users will be able to access their credentials on both Macs and Windows computers, as well as Android phones and iPhones, regardless of whether they are using a MacBook or a Windows computer. 

These managers act as independent applications, rather than integrated components of browsers, so that they provide both flexibility and resilience. They provide a safe and secure means of transferring data from one device to another, allowing users to be independent of any single vendor's ecosystem. Modern password managers have more to offer than simply storing credentials. 

Families, friends, and professional teams can use them to share secure passwords among themselves, ensuring critical access during times of crisis or collaboration. Additionally, encrypted local copies of stored data are maintained on the computers, so that users can access their data offline even when their phone or Internet connection is disconnected. 

Using this capability, important credentials are always readily available whenever and wherever they are required, without sacrificing security. Contrary to this, browser-based password saving has continued to attract users around the world — from small business owners trying to maximise efficiency to workers at large corporations juggling multiple logins — because of its ease of use. This convenience is not without its dangers, however. 

Cybercriminals use browser-stored credentials daily as a means of exploiting them via stealer malware, phishing attacks and tools that retrieve autofill information, cookies, and stored sessions. Once these credentials have been obtained, they are quickly circulated and sold on dark web forums and encrypted Telegram channels, allowing attackers to gain access to sensitive corporate and personal data. 

Many consequences can result from a harmless click on the “Save Password” button that can affect not just an individual but entire organisations as well. Despite this appearance of efficiency, there is a fundamental flaw beneath this efficiency: browsers were never intended to serve as secure vaults for passwords. The main purpose of browsers is still web browsing, and password storage is only an optional feature. 

When it comes to strengthening in-browser security, it's crucial to ensure the encryption keys are only held by the device owner by enabling on-device encryption, which is available through services like Google Password Manager. This feature integrates directly with the device's screen lock and creates an additional layer of protection that prevents people from accessing passwords stored on the user; device. 

As a consequence, it comes with a trade-off as well: users who lose access to their Google accounts or devices may be permanently locked out of their saved credentials. Another essential measure is enabling password autofill features on browsers, a feature that remains one of the most easily exploited browser conveniences. 

It is possible, for example, to toggle off "Offer to save passwords" in Chrome by going to "Settings" > "Autofill and passwords" > "Google Password Manager." 

Using Microsoft Edge, users can achieve the same level of protection by enabling the option "Autofill Passwords and Passkeys" in the "Passwords and autofill" section of Settings, while Safari users on macOS Catalina 10.15 and later can use the File menu to export and modify passwords in order to limit their exposure.

In addition to the above adjustments, implementing two-factor authentication across all accounts adds a second line of defense, which means that even if credentials are compromised, unauthorized access remains unlikely, even with compromised credentials. 

In order to further reduce potential risks, it is important to review and eliminate stored passwords tied to sensitive or high-value accounts. However, browser-stored passwords are a fraction of the information that is silently accumulated by most browsers. A browser, in addition to storing login credentials, also contains a wealth of personal and corporate data that can be of invaluable use to cybercriminals. 

By saving credit card information, autofilling information like addresses and telephone numbers, cookies, browsing history, and cached files, we can gather a detailed picture of the user's digital life over the course of a lifetime. Using compromised cookies, attackers may be able to hijack active sessions without using a password, while stolen autofill data can serve as a weapon for identity theft or phishing schemes. 

Inadvertently, bookmarks or download histories could reveal sensitive client-related materials or internal systems. In essence, the browser functions as an unsecured vault for financial, professional, and personal information, all enclosed in a convenient layer that is prone to easy breach. 

It would be much safer and more structured to use dedicated password managers such as 1Password, Dashlane, Bitwarden, and LastPass if they were made from the ground up with encryption, privacy, and cross-platform protection as their core design principles. These tools transcend the limitations of browsers by providing a much more secure and structured alternative. 

In addition to safeguarding passwords, they also ensure that the user remains fully in control of their digital credentials. They provide the perfect balance between convenience and uncompromising security in today's connected world. As digital life continues to become more entwined with convenience, protecting one's online identity has never been a higher priority than it has ever been.

To attain a higher level of security, users must move beyond short-term comfort and establish proactive security habits. For instance, they should update their passwords regularly, avoid reusing them, monitor for breaches, and use trusted password management solutions with zero-knowledge encryption. There is an important difference between the use of browser-stored credentials versus secure, dedicated platforms that take care of themselves. 

In a world where cyberthreats are evolving at a rapid pace, users must have a feeling that their data is safe and secure, not only that it is also easy to use and simple to operate.
Read more »
Password Manager
Browser Clickjacking Attacks Credential Cyber Security Passkeys Password Manager

Passkeys under threat: How a clever clickjack attack can bypass your secure login

 


At DEF CON 33, independent security researcher Marek Tóth revealed a new class of attack called DOM-based extension clickjacking that can manipulate browser-based password managers and, in limited scenarios, hijack passkey authentication flows. This is not a failure of cryptography itself, but a breakdown in the layers surrounding it.


What is being attacked, and how?

Clickjacking is not new. In its classic form, an attacker overlays a transparent frame or control on a visible page so that a user thinks they are clicking one thing but actually triggers another. 

What Tóth’s technique adds is the targeting of browser extensions’ UI elements specifically, the autofill prompts that password managers inject into web pages. The attacker’s script controls the page’s Document Object Model (DOM) and applies CSS tricks (such as setting opacity to zero or overlaying fake elements) so that a user’s genuine click (for example, “Accept cookies”) also activates that hidden autofill element. The result: the extension may populate fields transparently, then the attacker reads the filled data. 

In many of Tóth’s tests, a single click was sufficient to trigger data leakage credentials, TOTP codes (2FA), credit card information, or personal data. In some setups, passkey workflows could also be subverted using “signed assertion hijacking,” if the server did not enforce session-bound challenges. 


How serious is the exposure?

Tóth examined 11 popular password-manager extensions (such as Bitwarden, 1Password, LastPass, iCloud Passwords). All were vulnerable under default settings to at least one variant of the attack. 

Among the risks:

Credential theft: Usernames, passwords and even stored TOTP codes could be auto-populated and exfiltrated. 

Credit card data: Autofill of payment fields (card number, expiration, CVV) was exposed in several tests. 

Passkey hijack: If the relying server does not bind the challenge to a session, an attacker controlling a page could co-opt a passkey login request. 

Some vendors have already released patches. For example, Enpass addressed clickjacking in browser extensions in version 6.11.6. Other tools remain at risk under certain configurations. 


Why this doesn’t mean cryptographic failure

It is critical to clarify: the underlying passkey standards (WebAuthn / FIDO protocols) were not broken. Instead, the attack targets the implementation and environment around them namely, the browser’s extension UI interaction. The exploit is possible only when the extension injects visible elements into the page DOM, and when an attacker can manipulate those elements. 

In other words, passkeys are strong in theory. But every layer above — browser, extension, site must preserve integrity or risk defeat.


What must users and organizations do

Users should:

1. Update your browser and your password-manager extensions immediately; enable auto-update.

2. Disable inline autofill where possible; prefer manual copy-paste or invoke filling only through the extension’s menu.

3. On Chromium-based browsers, set extension site access to “on click,” not “all sites.”

4. Remove or disable unused extensions.

5. For high-value accounts, prefer platform-native passkey or hardware-backed authenticators rather than extension-based credentials.


Organizations should:

• Audit extension policies and restrict or whitelist extensions.

• Enforce secure best practices on web apps (e.g., session­-bound challenges with passkeys).

• Encourage or mandate the use of vetted and updated password-management tools.


This disclosure emphasizes that security is a chain, and your cryptographic strength is only as strong as its weakest link. Passkeys are an important evolution beyond passwords, but until all layers: browser, extensions, applications are hardened, risk remains. Act now before attackers exploit complacency.


Read more »
Vulnerabilities and Exploits
Browser Clickjacking links Login Credentials Password Manager Vulnerabilities and Exploits

Password Managers Face Clickjacking Flaw, Millions of Users at Risk



For years, password managers have been promoted as one of the safest ways to store and manage login details. They keep everything in one place, help generate strong credentials, and protect against weak or reused passwords. But new research has uncovered a weakness in several widely used browser extensions that could expose sensitive information for millions of people.


Details about the flows

Security researchers recently found that 11 different password manager extensions share a vulnerability linked to the way they rely on the Document Object Model (DOM). The DOM is part of how web pages are structured, and in this case, it opens a door to a technique known as “clickjacking.”

Clickjacking works by tricking users into clicking on invisible or disguised elements of a web page. For example, a malicious site may look legitimate but contain hidden layers. A single misplaced click can unintentionally activate the password manager’s autofill function. Once that happens, the manager may begin entering saved credentials directly into the attacker’s page.

The danger lies in how quietly this happens. Users often close the site without realizing that their passwords or even stored credit card information and personal details like addresses or phone numbers may already have been copied by attackers.


The scale of the issue

The affected list includes some of the most recognized password managers in the industry. An estimated 40 million users worldwide could be impacted. While some companies have already addressed the issue through updates, not all providers have released fixes yet. For example, RoboForm has patched its extension, and Bitwarden has rolled out a new version. However, others remain in the process of responding.


Protecting yourself

There is no universal fix for clickjacking, but users can take important steps to reduce risk:

1. Be cautious with links: Avoid clicking on unfamiliar or suspicious links, even if they appear genuine. It is always safer to type the website address directly or use trusted bookmarks.

2. Update your tools: Make sure your password manager extension is up to date. Updates often contain security fixes that block known vulnerabilities.

3. Change autofill settings: If you use a Chromium-based browser, switch your password manager’s autofill to “on-click.” This ensures that details are only filled in when you actively choose to do so.

4. Disable unnecessary autofill: Consider turning off automatic completion for personal information like email addresses in your browser settings.


The bottom line

Password managers are still an essential tool for safe online habits, but like any technology, they are not immune to flaws. Staying alert, practicing careful browsing, and keeping your software updated can substantially lower the risk. Until every provider has addressed the vulnerability, users should take extra precautions to keep their digital identities secure.



Read more »
Vulnerabilities and Exploits
Clickjacking Attacks Credential Theft Password Manager User Security Vulnerabilities and Exploits

Major Password Managers Leak User Credentials in Unpatched Clickjacking Attacks

 

Six popular password managers serving tens of millions of users remain vulnerable to unpatched clickjacking flaws that could allow cybercriminals to steal login credentials, two-factor authentication codes, and credit card information. 

Modus operandi

Security researcher Marek Tóth, who presented these findings at DEF CON 33, demonstrated how attackers exploit these vulnerabilities by running malicious scripts on compromised websites. 

The attack works by using opacity settings and overlays to hide password manager autofill dropdown menus while displaying fake elements like cookie banners or CAPTCHA prompts. When users click on these decoy elements, they unknowingly trigger autofill actions that expose sensitive data. 

Tóth developed multiple exploitation variants, including DOM element manipulation techniques and a method where the user interface follows the mouse cursor, making any click trigger data autofill. The researcher created a universal attack script that can identify which password manager a target is using and adapt the attack in real-time. 

Impacted password managers

The vulnerable password managers include: 
  • 1Password 8.11.4.27 
  • Bitwarden 2025.7.0 
  • Enpass 6.11.6 
  • iCloud Passwords 3.1.25
  • LastPass 4.146.3 
  • LogMeOnce 7.12.4 
These services collectively have approximately 40 million users. 

Vendor responses 

Vendor responses have been mixed. 1Password dismissed the report as "out-of-scope/informative," arguing that clickjacking is a general web risk users should mitigate themselves. Similarly, LastPass initially marked the report as "informative" before later acknowledging they're working on fixes. 

Bitwarden downplayed the severity but claims to have addressed the issues in version 2025.8.0. However, LogMeOnce initially failed to respond to any communication attempts, though they later released an update. Several vendors have successfully implemented fixes, including Dashlane, NordPass, ProtonPass, RoboForm, and Keeper.

Safety measures 

Until patches are available, Tóth recommends that users disable autofill functionality in their password managers and rely on manual copy-paste operations instead. This significantly reduces the attack surface while maintaining password manager security benefits. 

The research highlights ongoing challenges in balancing user convenience with security in password management tools, particularly regarding browser extension vulnerabilities.
Read more »
Password Manager
cybersecurity tips Data Breach delete old accounts identity theft protection Online Security Password Manager

Why It’s Critical to Delete Old Online Accounts Before They Endanger Your Security

 

Most people underestimate just how many online accounts they’ve signed up for over the years. From grocery delivery and fitness apps to medical portals and smart home devices, every service requires an account—and almost all require personal information.

Research by NordPass last year revealed that the average person manages close to 170 passwords for different accounts. For anyone who has spent a significant part of their life online, that figure is likely much higher.

Abandoned or forgotten accounts still hold sensitive data—your name, email, address, birthdate, and payment information. All this information is exactly what shows up in massive data breaches and is precisely what cybercriminals look for.

In an era where data leaks often compile older breaches into vast collections of stolen personal details, inactive accounts lacking updated protections like strong passwords or two-factor authentication become major security liabilities.

Once hackers gain access to your information, they can leverage it in countless ways. For example, if they compromise your email or social media, they can impersonate you to launch phishing attacks or send scams to your contacts. They might also try to trick your friends and colleagues into downloading malware.

Dormant accounts can hold even more sensitive material, such as scans of IDs or insurance documents, which can be exploited for identity theft or fraud. Accounts with saved financial information are an even bigger risk since attackers can drain funds or resell the details on dark web marketplaces.

Deleting old accounts is one of the simplest yet most effective ways to strengthen your online security. It may seem tedious, but it’s something you can easily do while catching up on your favorite shows.

Start by searching your email inbox for common registration keywords like “welcome,” “thank you for signing up,” “verify account,” or “validate account.” A password manager can also help you see which logins you’ve saved over time.

Check the saved password lists in your browser:
  • Chrome: Settings > Passwords
  • Safari: Preferences > Passwords
  • Firefox: Preferences > Privacy & Security > Saved Logins
  • Edge: Settings > Profiles > Passwords > Saved Passwords
Many services let you sign in with Google, Facebook, Twitter, or Apple ID. Review the list of connected apps and services—while disconnecting them doesn’t automatically delete accounts, it shows what you need to remove.

Visit Have I Been Pwned? to check if your email has been involved in breaches. This resource can remind you of forgotten accounts and alert you to which passwords should be changed immediately.

If you spot apps you no longer use on your phone or laptop, log in, close the accounts, and delete the apps from your device. Some antivirus tools, such as Bitdefender, offer features to find all accounts you’ve created using your email with a single click.

Certain platforms intentionally make deletion difficult. If you’re struggling, search the site’s name along with “delete account,” or use justdelete.me, a helpful directory with step-by-step removal guides. If that fails, reach out to the site’s support team.

If you cannot fully delete an account, take steps to minimize the risk:

  • Remove saved payment information.
  • Delete personal details such as your name, birthdate, and shipping address.
  • Clear any stored files or sensitive messages.
  • Use a fake name and a disposable email like Mailinator.

Before creating new accounts in the future, consider whether you can use a guest checkout or a dedicated email address just for sign-ups.

For accounts you decide to keep, always update your passwords, store them securely in a password manager, and enable multi-factor authentication or passkeys to strengthen security.
Read more »
VPN for public Wi-Fi
AI Privacy cybersecurity tips Incogni data removal Passkeys Password Manager Protect Personal Data Technology two-factor authentication VPN for public Wi-Fi

Digital Safety 101: Essential Cybersecurity Tips for Everyday Internet Users

 9to5Mac is brought to you by Incogni: a service that helps you wipe your personal data—including your phone number, address, and email—from data brokers and people-search websites. With a 30-day money-back guarantee, Incogni offers peace of mind for anyone looking to guard their privacy.


1. Use a Password Manager

The old advice to create strong, unique passwords for each website still holds true—but is only realistic if you use a password manager. Fortunately, Apple’s built-in Passwords app makes this easy, and there are many third-party options too. Use these tools to generate and save complex passwords every time you sign up for a new service.

2. Update Old Passwords

Accounts created years ago may still have weak or repeated passwords. This makes you vulnerable to credential stuffing attacks—where hackers use stolen logins from one site to access others. Prioritize updating your passwords for financial services, Apple, Google, Amazon, and any accounts that have already been compromised. To check this, enter your email on Have I Been Pwned.

3. Enable Passkeys Where Available

Passkeys are becoming the modern alternative to passwords. Instead of storing a traditional password, your device uses Face ID or Touch ID to verify your identity, and only sends confirmation of that identity to the site—never the actual password. This reduces the risk of your credentials being hacked or stolen.

4. Use Two-Factor Authentication (2FA)

2FA provides an added layer of security by requiring a rolling code each time you log in. Avoid SMS-based 2FA—it's prone to SIM-swap attacks. Instead, opt for an authenticator app like Google Authenticator or use the built-in support in Apple’s Passwords app. Set this up using the QR code provided by the service.

5. Monitor Last Login Activity

Some platforms, especially banking apps, show the date and time of your last login. Get into the habit of checking this regularly. Unexpected logins are an immediate red flag and could signal that your account has been compromised.

6. Use a VPN on Public Wi-Fi

Public Wi-Fi networks can be unsafe and vulnerable to “Man-in-the-Middle” (MitM) attacks. These involve a rogue device impersonating a Wi-Fi hotspot to intercept your internet traffic. While HTTPS reduces the risk, using a VPN is still the best protection. Choose a trusted provider that maintains a no-logs policy and undergoes third-party audits. “I use NordVPN for this reason.”

7. Don’t Share Personal Info With AI Chatbots

Conversations with AI chatbots may be stored or used as training data. Avoid typing anything sensitive, such as passwords, addresses, or identification numbers—just as you wouldn’t post them publicly online.

8. Consider Data Removal Services

Your personal information may already be listed with data brokers, exposing you to spam and scams. Manually removing this data can be tedious, but services like Incogni can automate the process and reduce your digital footprint efficiently.

9. Verify Any Request for Money

If someone asks for money—even if it looks like a friend, family member, or colleague—double-check their identity using a separate communication method.

“If they emailed you, phone them. If they phoned you, email or message them.”

Also, if you're asked to send gift cards or wire money, it's almost always a scam. Be especially cautious if you're told a bank account has changed—confirm directly before transferring funds.
Read more »
Password Manager
Credentials cyber attack Cybersecurity Digital Security Hacking Infostealer malware MFA Password Manager

Cybercriminals Intensify Attacks on Password Managers

 

Cybercriminals are increasingly setting their sights on password managers as a way to infiltrate critical digital accounts.

According to Picus Security’s Red Report 2025, which analyzed over a million malware samples from the past year, a quarter (25%) of all malware now targets credentials stored in password managers. Researchers noted that this marks a threefold surge compared to the previous year.

“For the first time ever, stealing credentials from password stores is in the top 10 techniques listed in the MITRE ATT&CK Framework,” they said. “The report reveals that these top 10 techniques accounted for 9Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. 3% of all malicious actions in 2024.”

Advanced Hacking Techniques

Dr. Suleyman Ozarslan, co-founder and VP of Picus Labs, revealed that cybercriminals use sophisticated methods like memory scraping, registry harvesting, and breaching both local and cloud-based password stores to extract credentials.

To counter this rising threat, Ozarslan emphasized the importance of using password managers alongside multi-factor authentication (MFA). He also warned against password reuse, particularly for password.

Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. Picus Security highlighted that modern cybercriminals are now favoring long-term, multi-stage attacks that leverage a new generation of malware. These advanced infostealers are designed for stealth, persistence, and automation.

Researchers compared this evolution in cyber threats to “the perfect heist,” noting that most malware samples execute over a dozen malicious actions to bypass security defenses, escalate privileges, and exfiltrate data.

A password manager is a cybersecurity tool that securely stores, generates, and auto-fills strong passwords across websites and apps. By eliminating the need to remember multiple passwords, it strengthens security and reduces the risk of breaches. Experts consider it an essential component of cybersecurity best practices.
Read more »
Windows
Google Google Chrome Password Manager Technology Windows

Passwords Vanish for 15 Million Windows Users, Google Says "Sorry"

Passwords Vanish for 15 Million Windows Users, Google Says "Sorry"

Google says “sorry” after a bug stopped Windows users from finding or saving their passwords. The issue began on 24th July and stayed till 25th July, before it was fixed. The problem, google said was due to “a change in product behavior without proper feature guard,” an incident sharing similarities with the recent Crowdstrike disruption.

The disappearing password problem affected Chrome users worldwide, causing them trouble finding saved passwords. Users even had trouble finding newly saved passwords. Google has fixed the issue now, saying the problem was in the M127 version of Chrome Browser on Windows devices.

Who were the victims?

It is difficult to pinpoint the exact numbers, but based on Google’s 3 Billion Chrome users worldwide, with the majority of Chrome users, we can get a positive estimate. According to experts, around 15 million users experienced the vanishing password problem.  "Impacted users were unable to find passwords in Chrome's password manager. Users can save passwords, however it was not visible to them. The impact was limited to the M127 version of Chrome Browser on the Windows platform," said Google.

The password problem is now fixed

Fortunately, Google has now fixed the issue, users only need to restart their Chrome browsers. “We apologize for the inconvenience this service disruption/outage may have caused,” said Google. If a user has any inconveniences beyond what Google has covered, they are free to contact Google Workplace Support.

Chrome Password Manager: How to use it?

Google's Chrome password manager may be accessed through the browser's three-dot menu by selecting Passwords & Autofill, then Google Password Manager. Alternatively, you can install the password manager Chrome app from the password manager settings and then access it from the Google Apps menu. If Chrome invites you to autofill a password, clicking Manage Passwords will take you directly there.

Things that went missing besides passwords recently

According to cybersecurity reporter Brian Krebs, the email verification while creating a new Google Workplace Account also went missing for a few Chrome users. 

The authentication problem, which is now fixed, allowed threat actors to skip the email verification needed to create a Google Workplace account, allowing them to mimic a domain holder at third-party services. This allowed a threat actor to log in to third-party services like a Dropbox account.  

Read more »
Subscribe to: Comments (Atom)