I recently discovered that password managers like Bitwarden, Proton Pass, and 1Password all think it’s a great idea to take your encrypted URLs from your password vault, decrypt them, and send those data fields to their own servers in order to give you favicons for all your passwords. Proton even brags about how they encrypt everything, including URLs (because they’re “privacy first”), in their article about LastPass’ security breaches. Then Proton goes and sends these fields decrypted to themselves by default…
Seemingly innocuous bits of information (such as saved URLs, which are not encrypted by LastPass) can be used to infer highly detailed information about you. [bold mine]
Anyway, this got me interested in the problem. macOS Passwords uses favicons, which leads me to my question: How exactly does macOS Passwords acquire website icons for its password entries?
I tried manually creating a test entry for yahoo.com directly in-app (in Sequoia), but it didn’t show an icon. I also tried visiting a saved URL in Safari and logging in using autofill on that site, but still no icon. I would’ve guessed that the responsible way to go about this would’ve been to collect the icons in the browser at the time of creation or use.
Don’t get me wrong, I find the icons helpful in my password manager, but I don’t think that excuses the fact that the people I’m putting my trust in and that say things like the quote below are taking the liberty to send themselves decrypted data fields from my vault:
Protect passwords, passkeys, and credit cards with zero-knowledge, end-to-end encryption. That means no one else, not even Proton can access your sensitive information unless you share them. [bold mine]
Source: Proton Pass
…or unless they share them.
I want to know if anyone out there, including Apple, is solving this differently.
