alt Hacker NewsI wonder about those kinds of exploits that sit on a webpage, but what stops someone from injecting their payload on a sites login page? JS can grab the password in plaintext in such a scenario, at which point the password manager does not save you. Can we normalize Passkey more?
I think the point is that you can have arbitrary website read the browser’s memory so example.com can read the password for example.org and example.net.