The checkboxes are buttons :)

<button class="itemCheckbox" tabindex="17" aria-label="Select"></button>

Oh dear... looks like the guy that decided to store the URLs in the clear also does the web design

You need to compare the URLs at least for equality in order to resolve conflicts, which is most straightforwardly done server-side. You could maybe do some sort of content-defined encryption to them, but I’m not sure how useful that would be. So storing the URLs in the clear is unfortunate but not inherently dumb.

(As to how KeePass implementations deal with this problem when on top of a single synced file: they mostly don’t, data loss on conflict is not uncommon[1].)

[1] https://www.ctrl.blog/entry/keepass-file-conflicts-android.h...

wdym by store the URLs in the clear ?

From the article (emphasis added):

“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs …”

for (item of document.getElementsByClassName('vault-item-displayname')) { item.click() }