Our great sponsors
-
security-research
This project hosts security advisories and their accompanying proof-of-concepts related to research conducted at Google which impact non-Google owned code.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
As a Bitwarden user this is a bit concerning.
Looking into though, bitwarden matches the URI only to the top level domain. The example site has the same URI. A user entering credentials into a compromised website is equally vulnerable to this issue password manager or not. If I am served a news.ycombinator.com/fake-login, and I don’t verify that the page is wrong, Google reports here that only the built-in Chromium password manager is safe?
Looking at the linked pull request for Bitwarden[0], it is not clear that this has not been resolved but there does at least appear to be some efforts moving towards a fix. Wonders of open source!
[0]: https://github.com/bitwarden/clients/pull/3860