Six major password managers with tens of millions of users are currently vulnerable to unpatched clickjacking flaws that could allow attackers to steal account credentials, 2FA codes, and credit card details. […]
Unmatched clickjacking flaws
This isn’t news. The “unpatched flaws” are in the browser extensions, and are due to the nature of browser extensions rather than the software the extension talks to, which means they can’t be patched.
If you want to mitigate your exposure to this, don’t use the browser extension - which has always been true.
I know you said just don’t use the extension, but I’m a dolt. Is there a safest alternative method of use for me? Like am I better off only using a pass manager app on my phone?
Nah you’ll be alright, using the desktop app is fine; the attack works by first having you go to a compromised page, and then the page has some code to trick the password manager into auto filling your details without your consent or knowledge.
1Password’s extension pops up a notice when filling some sensitive data and that notice cannot be hidden by the page you’re on, like credit card data and maybe personal ID information, but regular passwords and 2fa don’t have that confirmation. Can’t speak for other managers on that, but generally if you just don’t use the extension and instead manually copy and paste from the password manager, you’re immune to this attack.