![]() Remembear: Easiest way to remember passwords Review video Remembear: Easiest way to remember passwords.While I'm glad all the issues that you reported were fixed I was disappointed that a) there was no security contact easily available and b) all the issues that you reported seemed pretty much as growing pains for a pwd manager that might not be ready for prime time. I ended up here after googling for Remembear security and couldn't find much else. I did extensive research and did like Remembear the most but I also wanted to make sure their security was good too. you login to the app and you're logged in to all the different browser extensions regardless of the browser window. You have a great blog! I'm a long time user of LastPass and wanted to switch to a different manager that's app based as I switch from browser way too often and wanted a solution that was centrally managed from an app. : RememBear updates Firefox extension as well.macOS application is supposed to follow a week later. #REMEMBEAR TWITTER WINDOWS#: RememBear reports having fixed all outstanding issues in the Windows application and Chrome extension.: RememBear confirms that “Websites can save logins for arbitrary site (Safari)” issue doesn’t affect any current products but they intend to remove hostFromString() function regardless.: RememBear fixes parts of the “No protection against logins being filled in on wrong websites” issue in the Chrome extension.: Reported issues: “Unrelated websites can share logins”, “Wrong interpretation of Mozilla’s Public Suffix list”, “Login saved for wrong site (frames in Chrome)”, “Websites can save logins for arbitrary site (Safari).”.: Reported issue “No protection against logins being filled in on wrong websites.”.: RememBear fixes “RememBear extensions leak token” issue and updates their Firefox and Chrome extensions.: Reported issue: “RememBear extensions leak token.”.This route fails (I’ve been invited to that program previously and rejected), so we settle on using the support contact as fallback. I get a response on the same day, suggesting to invite me to a private bug bounty program. : After discovering the first security vulnerability I am attempting to find a security contact.In their old (and already phased out) Safari extension this likely was an issue and would have allowed websites to save passwords under an arbitrary website name. Luckily for RememBear, its content scripts wouldn’t run on any of these URLs, at least in Chrome. #REMEMBEAR TWITTER HOW TO#It wouldn’t know how to deal with “unusual” URL schemes, so for data:text/html,foo/:// or about:blank#:// it would return as the host name. There was one more issue: the function hostFromString() used to extract host name from URL when saving passwords was using a custom URL parser. But at least there will be some warning flags for the user along the way… #REMEMBEAR TWITTER PASSWORD#And will be able to retrieve the password later if the user triggers AutoFill functionality on their site. But instead of saving that password for it will store it for. So if in Chrome embeds a frame from and the user logs into the latter, RememBear will offer to save the password. While AutoFill doesn’t use window.getOriginUrl(), saving passwords does. It contains the list of origins for parent frames, so this function will return the origin of the parent frame if there is any – the URL of the current document is completely ignored. IsRememBearWebsite () ĭon’t know what does? I didn’t know either, it being a barely documented Chrome/Safari feature which undermines referrer policy protection. ![]() The following function was responsible for recognizing privileged websites: ![]() In case of RememBear, things turned out to be easier however. via an all too common XSS vulnerability) will give attackers access to this functionality. This is generally an issue, because compromising this website (e.g. ![]() Password managers will often give special powers to “their” website. I also couldn’t fail noticing a bogus security mechanism, something that I already wrote about. Security-wise the tool doesn’t appear to be as advanced however, and I quickly found six issues (severity varies) which have all been fixed since. Technically, it is very similar to its competitor 1Password, to the point that the developers are being accused of plagiarism. ![]() And occasionally I’ll take a closer look at the tool, which is what I did with the RememBear password manager in April. Whenever I write about security issues in some password manager, people will ask what I’m thinking about their tool of choice. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |