Bear in mind, that if the user has been brought to a "poser" web site, no password manager client-side bug is gonna matter if he/she is clicking "OK" anyway. The data has been deliberately sent (ie. exposed). The client maintained list is not, in and of itself, compromised. The hidden form field phishing is a bit less culpable for the client. Simplest solution might be to add a "paranoia" setting to the PM that presents a DB exposing the fqdn about to receive the sensitive submission asking "Are you sure this is a valid authentication request?<continue><cancel> The onus is on the user to double check the validity of the transaction one last time. IMHO, any truly sensitive authentication should be using encrypted transmission with mutual trust verification anyway, or the user should seriously consider doing business elsewhere.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds