Global Auto-Type (CTRL-Shift-A): risk to paste password in phishing sites.
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
The Global Auto-Type Hot Key is really handy! I bet a lot of users will really like this.
Following the manual at https://keepass.info/help/base/autotype.html#autoglobal however makes it obvious that global auto-type doesn't verify the actual URL where a password is typed.
So let's say we have an Entry in our KeePass database that states it's the password for SourceForge.
Going to another random (phishing) site, that just has SourceForge in it's title will actually paste the credentials of SourceForge. While you wanted to paste other data, or just didn't notice that you are on a typosquatting domain that imposes SourceForge. At least, that is what I understand from the manual.
It would IMHO be a lot safer if KeePass actually verifies that the URL is also the same (on domain basis) as the website you're visiting.
Might be good to keep the passwords even more safe this way?
https://sourceforge.net/p/keepass/discussion/329220/thread/200d5a84c1/?limit=25#f56e/87cc
I was already suggesting that but I couldn't find a way to implement such a thing without browser integration.
Auto-type strength is that it's completely separated from the application it is typing to and is general(not specific just to web browsers).
if you find a way to overcome this issue, it would be great.
Hi John,
See https://www.autohotkey.com/boards/viewtopic.php?t=3702, where they created a workaround for a couple of browers. Maybe that's usable?
Also, if you launch from Keepass to the website, then you can use autotype selected entry hotkey and not risk a phishing link