[gima]

Ugh, this kind of thing gets my blood boiling. It was clearly said that _a security researcher_ disallowed Mozilla from reporting the vulnerability forward. It's the individual to blame, not Mozilla.

In any case Personally I wouldn't want to run a large priviledged application as a browser extension when it's interacting with random webpages AND handling my security credentials. Too much attack surface.

[AgentME]

The issue with Angular in extensions has to do with the fact it uses eval on the page DOM, which is controlled by the webpage. The webpage can put code into the DOM, and then let Angular execute it from within the higher-privileged extension.

Angular <1.6 had a sandbox feature which blacklisted specific attacks like this, but was not a general solution and was specifically not intended as a security feature. They entirely removed the sandbox in 1.6 because people kept thinking it was a security feature: http://angularjs.blogspot.com/2016/09/angular-16-expression-...

I'm not going to fault someone for not reporting a specific vulnerability with a specifically not-security feature that has already been removed.

[nchelluri]

Curious, do you use a password wallet/manager application, and if so how do you get passwords out of it and into the browser? I'd like to know if there's a better solution. (I use a browser extension.)

[nathancahill]

I think his point is that running the entire Angular 1.x framework to power a browser extension gives a large attack surface.

[gima]

Yes. And to answer nchelluri's question: Auto-typing, though I believe that's available only on desktop operating systems.

[nixos]

> though I believe that's available only on desktop operating systems.

And on Android (where you set up the password manager as a custom keyboard), and possibly an iPhone

[nchelluri]

Thanks for the clarification.

[ploxiln]

copy/paste. you can't trust password manager browser extensions.

Don't just take my word for it: https://twitter.com/taviso/status/769378052254015488

There were a few high profile ones recently reported by Tavis, but there have been many in the past, and it looks like no brand of password manager has consistently written safe browser extensions. They're written to be slick-looking and convenient, the actual security isn't visible enough to be a sales/popularity boost so it suffers. This very story/issue is another example in the making.

[andrewstuart2]

GNU password manager for me, which interacts with the clipboard (or lets you do so on your own if you prefer).

The same is true of Keepass for windows, although IIRC you can also let Keepass actually alt-tab to the last window and do the typing for you.

[NeutronBoy]

I use Keepass with auto-type. I know it's not perfect, but I feel better about auto-type than browser extensions.