Can a website steal passwords saved in my browser?

Information Security Asked by sfrj on January 13, 2021

Today I was on Steam and someone sent me a link and asked me to vote for him in some online gaming league. I clicked on it and the browser told me that this could be an unsafe link so I didn’t proceed further. Then I opened in another browser to see if it was a legit site.

I see that this was a domain registered today and on it there are some game related content but it looks very suspicious. What I am curios about is if I am at risk? Can they steal browser content such as bookmarks or saved passwords and cookies by just navigating to a website?

5 Answers

In short, password managers (including the ones built into browsers) are designed to prevent this from happening, so it shouldn't happen. If it does, then something else has gone wrong.

To expand on this, though, password managers have to find a balance between ease of use and security, and certain design choice can affect this balance.

One of the main and most important jobs of a password manager is only to pre-fill or automatically log in when it can be sure it is the same website as you were on when you saved that password. Because, if it does it on a different website, it may just inadvertently leak your password to some other site, and therefore to someone else that should not be given your password.

So to address your question, if this fake site is completely unrelated to any genuine site you have a saved password for, including a different domain name, there is no way it can get any of your saved passwords.

The difficulty is, the boundary for what defines a website can vary. In some cases, a website can have multiple domain names. Some password managers can know about this and let your login work across a network of domain names regardless of which one you initially saved it on. This is convenient, except if the password manager accidentally gets one wrong, and that one falls into the wrong hands. In other cases, websites with the same domain may be owned and controlled by totally different people, which is the case with shared web hosting where clients don't get their own domain name - sometimes they may have a subdomain with a shared domain, and sometimes even a subdirectory under the same host. Password managers can try and be smart about this by maintaining a record of domains which can be used for separate sites on different subdomains or directories. Or, they can take an overall more conservative approach and only match a site if it has the exact same hostname (including subdomain) and path to the login screen. Or, take an approach somewhere in between where if there is any discrepancy the user is prompted to confirm whether it's the same site.

Then there is the issue of site security itself. A password manager cannot know if a site's been hacked and taken over by hostile parties. It can know if a site uses https making some kinds of attacks (man-in-the-middle) more difficult though.

What all this boils down to is that there is some amount of art to the algorithm that a password manager uses to determine if the site you're visiting is authorised to be given a password you've saved before. You can help protect yourself to some degree:

  • When logging in using a saved password, stop to consider whether you're on a site where you may have separate logins to separate areas of the site such as a hosting site and you're not on your own account there.
  • Disable automatic login if your password manager has it (ie, where the password manager also submits the form for you instead of only pre-filling it).
  • Don't necessarily just settle for the password manager provided by your browser. There are third party password managers which can have additional security features.

Answered by thomasrutter on January 13, 2021

I don't think it is a question of can it steal your passwords already there as others stated, it is more a question of can it install malware that get your passwords next time you type them in. Before clicking links you should scan them first on securi scan or something similar. I would advise that you format the computer before doing anything that could reveal sensitive information.

However regarding passwords already there, it would be a 0 day exploit by the sounds of it so they would gain more by turning it in for a bug bounty and it would be a little bit of a waste to use it on most people.

Answered by Coderxyz on January 13, 2021

I clicked on it and the browser told me that this could be an unsafe link so I didn't proceed further. Then I opened in another browser to see if it was a legit site.

That likely hasn't to do with your password, but perhaps more about personal data harvesting or fishy/deceptive content.

The reason why the browser says the link is unsafe is that it was reported on a blacklist of malware sites. Reason for reporting is unknown here.

There is a huge list of bad things that could happen

  • Security related
    • Malware distribution
    • Vulnerability exploitation
  • Privacy related
    • Asking you to subscribe to a free plan having to confirm your age by credit card.
    • Collection of personal data that get sold over to the privacy black maket

Unlikely to steal your passwords from browser anyway. But the worst you could do yourself is to subscribe to a new service reusing an existing password. It doesn't get stolen, you are providing it.

Answered by usr-local-ΕΨΗΕΛΩΝ on January 13, 2021

If your browser auto-fills passwords, then it is possible that add-ons/extensions/plugins can harvest your credentials even when you're not using it to log in.

Additionally, some password managers may have keyed passwords on the URL in the <form action="…"> of a site rather than the URL hosting that page, allowing an attacker to harvest credentials with a login form to the target site, perhaps rendered out of view. I'm not sure if this is still much of a risk.

See also Should web sites disable form autocomplete on all forms?

Answered by Adam Katz on January 13, 2021

If it was that easy, we wouldn't be using browsers. However, if your browser has a vulnerability, then things like this may happen.

Keep browsers up-to-date and run script blockers, like no-script, to prevent this type of attack.

Answered by schroeder on January 13, 2021

Add your own answers!

Related Questions

NTRUEncrypt in TLS and GPG encryption

3  Asked on November 17, 2020 by rubo77


XXE Injection in docx: entity not defined

1  Asked on November 5, 2020 by sorokine


How to send cookie to API on seperate domain in safari

1  Asked on October 29, 2020 by harrison-lucas


Pentesting Webserver Dead End (MySQL White Listing Bypass)

1  Asked on October 25, 2020 by cromwell-rosalin


Proxying MetaSploit through BurpSuite

1  Asked on October 16, 2020 by python


Why would hackers attack a DNS server with a DoS?

1  Asked on September 1, 2020 by alexis-wilke


OIDC Hybrid flow

1  Asked on August 21, 2020 by pdstat


Ask a Question

Get help from others!

© 2022 All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP, SolveDir