Password Manager Browser Extension Clickjacking
Michael Simon (via Ric Ford):
If you use Firefox on a Mac or PC, Apple offers a handy browser extension that puts your iCloud passwords right at your fingertips without needing to open a separate app. However, a new warning might make you think twice before you use it next time.
As reported by The Hacker News, a new Document Object Model vulnerability has been discovered by security researcher Marek Tóth that could allow attackers to steal users’ credit card details, personal data, and login credentials through so-called clickjacking or UI redressing.
[…]
While some flaws have been patched, several popular password manager extensions are at risk, including 1Password, LastPass, and iCloud. With iCloud Passwords, researchers specifically point to version 3.1.25, which Firefox uses. Chrome uses a newer version, 3.1.27, though it appears as though the flaw still exists.
To pull off the attack, all a bad actor has to do is create a fake site with an intrusive pop-up, such as a login screen or a cookie consent banner, while embedding an invisible login form such that clicking on the site to close the pop-up causes the credential information to be auto-filled by the password manager and exfiltrated to a remote server.
“All password managers filled credentials not only to the ‘main’ domain, but also to all subdomains,” Tóth explained. “An attacker could easily find XSS or other vulnerabilities and steal the user’s stored credentials with a single click (10 out of 11), including TOTP (9 out of 11). In some scenarios, passkey authentication could also be exploited (8 out of 11).”
I dislike this whole architecture of integrating password managers via browser extensions. I don’t want the page content to be able to fool the extension, and I don’t like the extension being able to read the page content.
Previously:
2 Comments RSS · Twitter · Mastodon
> I don’t like the extension being able to read the page content.
Doesn't it all come down to trust? If you trust a password manager with your biggest secrets, I don't think it's more scary to trust it with the content of the website also.
@Léo If you trust it, why not give it root access to your Mac, too? It just seems like a needlessly risky design, opening up JavaScript and full page and network access just because of the way the extension and main app have to communicate with each other.
This is part of the larger problem that most password managers now have integrated cloud syncing. Previously, I could have 1Password sync to a local folder managed by Dropbox and prevent the app itself from accessing the network. And ideally I would have the passwords and 2FA codes in separate password managers.
