224 introduces a credential leak via HTTP basic authentication.
In order for credentials to leak, all of the following conditions must be true:
The tab must be launched via the browserpass extension;
The tab must have never requested any kind of modal (e.g. basic) authentication;
The first request for modal authentication in the tab must be malicious;
The modal authentication request must occur via HTTPS.
If all those are true, then the credentials of the launched site will be invisibly provided to the modal authentication request.
This scenario can occur in two ways:
A site is launched which does not require modal authentication; or
A site is launched which does require modal authentication, but has already been authenticated, so the auth request never occurs.
I apologise for this oversight - this is my fault. I will submit a PR that fully closes this vector ASAP, and within the next 24 hours.
In the meantime, in order to avoid the vulnerability, users should not launch sites via the browserpass extension unless they know that a basic auth request will occur before they navigate away from the site, or they should ensure that any navigation away from a browserpass-launched site occurs in a different tab.
224 introduces a credential leak via HTTP basic authentication.
In order for credentials to leak, all of the following conditions must be true:
If all those are true, then the credentials of the launched site will be invisibly provided to the modal authentication request.
This scenario can occur in two ways:
I apologise for this oversight - this is my fault. I will submit a PR that fully closes this vector ASAP, and within the next 24 hours.
In the meantime, in order to avoid the vulnerability, users should not launch sites via the browserpass extension unless they know that a basic auth request will occur before they navigate away from the site, or they should ensure that any navigation away from a browserpass-launched site occurs in a different tab.