Hacker News new | ask | show | jobs
by shrimp_emoji 1795 days ago
It's safer as long as you don't hit it. (And, since the chance of you NOT hitting it is greater than zero, it can be called safer.)

Hit it when logging in to HN. It will populate both the set of fields you've highlighted (login) as well as the other set on the page (register). If there were a third, hidden, injected set of fields controlled by an attacker, those would be filled too.

The old security-convenience trade-off is an immutable law of the Universe.
4 comments
kaba0 1795 days ago
If an attacker could inject anything into the page, they may as well rewrite the form’s target URL, so I don’t see a real threat model for that.
link
willis936 1795 days ago
>The old security-convenience trade-off is an immutable law of the Universe.

I'm not so sure. I type many fewer passwords now that I switched from reusing the same password for everything to using a password manager. I went from 60 bits of entropy to over 100 and when my single password got compromised it also compromised every account. Now I type a password once when I unlock a PC and use Face ID to unlock the database on my phone. On the whole things are much more convenient and secure. It was just very inconvenient to touch every account I own.

Rather than a hard and fast rule of the universe, the trade-off assumes a lot of things, such as users are trying to be secure with a specific range of effort.

link
mackrevinack 1795 days ago
this wouldnt happen with keepass's auto-type which sends keystrokes from the desktop app. when you execute the hotkey with the focus on the username input, it types the username first, then sends the tab key, types the password, then sends enter. it wouldn't continue to fill in some hidden fields that are off screen.

i would have thought that most browser autofill extensions would be designed to only fill in details once, but who knows

link
troyvit 1795 days ago
It seems like it would help if a password manager gave a warning before/instead of filling out multiple logins on one page. I log into a fair number of different sites in none of those do I want fill out multiple fields on the same page.
link