14Mar
Dangers of using the web applications provided by password managers
The password manager bitwarden requires the user to log in to their account on their web site to allow them to enable 2FA, import passwords and manage other account related details, as that functionality is not available on the desktop or mobile applications. Could a supposed attacker that has gained control of a self hosted instance inject malicious JavaScript code into the web page front end to steal the user's password? What are the options for an attacker to steal the keys to the password database when the user uses the web vault? Could such an attack be avoided by using an application that does not pull logic from the server?
