This title seems a bit over-broad. The attack is based on using the built-in chrome credential manager. Further, it seems to depend either on the user installing an evil chrome plugin (in which case, you are already doomed, right?), or confusing a website like Tumblr into mixing up the user content and the login page, and getting the autofill info there.<p>The second attack seems limited to just the site that is being messed with. The fact that sites like Tumblr which apparently (?) host random unvetted javascript for bloggers aren't protected by site isolation is not that surprising, right?<p>Anyway, autofill and built-in password managers have always seemed suspicious to me. People should stick to stuff like keepass I guess.
It looks like they were able to exploit the Last Level Cache of Intel and Apple processors, but failed to do so against an AMD processor using the Zen architecture. Instead of plainly saying as much, the authors simulate a theoretical leakage rate for AMD processors by way of making V8 expose clflush in absence of a practical LLC eviction mechanism.
So does this justify my use of a password manager with no browser integration, and all the microseconds of lost productivity due to copying and pasting passwords all the time?
Web browsers today have “everything but the kitchen sink” capabilities built-in and are becoming more and more complex each year. They are turning into whole platforms that have browser plug-ins and extensions for every possible need known to humankind.<p>While many of these add-ons are handy and useful, we should not trust them with password management. Browsers are just too complex and have far too much going on.<p>Full article: <a href="https://www.go350.com/posts/the-design-flaws-of-password-managers/" rel="nofollow">https://www.go350.com/posts/the-design-flaws-of-password-man...</a>
This is why I use the 1Password Classic extension (which they try to deprecate in favour of 1Password X).<p>If I understand correctly, this extension can only ever ask the main 1Password UI (running in its own system process) to appear (providing site metadata such as the URL so it can suggest relevant accounts), in which I can then select the password I want. This means the browser extension itself has no access to the master password nor the entire password database.<p>In contrast, 1Password X and LastPass seem to let the browser extension access <i>all</i> passwords including the master password.
And other than Chrome?<p>> we expect most Chromium-based browsers to be vulnerable [... including] recent versions of Microsoft's Edge browser, as well as Brave
Some of these claims... "can retrieve data from Chrome extensions (such as credential managers) if a user installs a malicous extension."<p>News flash, you can do pretty much anything you want if you can get the user to install a malicious extension. That is social engineering, not a side-channel attack.