Password Manager Browser Extension Clickjacking
Michael Simon (via Ric Ford):
If you use Firefox on a Mac or PC, Apple offers a handy browser extension that puts your iCloud passwords right at your fingertips without needing to open a separate app. However, a new warning might make you think twice before you use it next time.
As reported by The Hacker News, a new Document Object Model vulnerability has been discovered by security researcher Marek Tóth that could allow attackers to steal users’ credit card details, personal data, and login credentials through so-called clickjacking or UI redressing.
[…]
While some flaws have been patched, several popular password manager extensions are at risk, including 1Password, LastPass, and iCloud. With iCloud Passwords, researchers specifically point to version 3.1.25, which Firefox uses. Chrome uses a newer version, 3.1.27, though it appears as though the flaw still exists.
To pull off the attack, all a bad actor has to do is create a fake site with an intrusive pop-up, such as a login screen or a cookie consent banner, while embedding an invisible login form such that clicking on the site to close the pop-up causes the credential information to be auto-filled by the password manager and exfiltrated to a remote server.
“All password managers filled credentials not only to the ‘main’ domain, but also to all subdomains,” Tóth explained. “An attacker could easily find XSS or other vulnerabilities and steal the user’s stored credentials with a single click (10 out of 11), including TOTP (9 out of 11). In some scenarios, passkey authentication could also be exploited (8 out of 11).”
I dislike this whole architecture of integrating password managers via browser extensions. I don’t want the page content to be able to fool the extension, and I don’t like the extension being able to read the page content.
Previously:
5 Comments RSS · Twitter · Mastodon
> I don’t like the extension being able to read the page content.
Doesn't it all come down to trust? If you trust a password manager with your biggest secrets, I don't think it's more scary to trust it with the content of the website also.
@Léo If you trust it, why not give it root access to your Mac, too? It just seems like a needlessly risky design, opening up JavaScript and full page and network access just because of the way the extension and main app have to communicate with each other.
This is part of the larger problem that most password managers now have integrated cloud syncing. Previously, I could have 1Password sync to a local folder managed by Dropbox and prevent the app itself from accessing the network. And ideally I would have the passwords and 2FA codes in separate password managers.
@Michael Isn't Strongbox Zero basically what you want? Safari autofill API; no networking, so you must sync the DB file yourself.
I use Strongbox (regular version) because I can then use SSH for syncing the database. But, yes, I agree with your dislike of JS inlining. It's nasty..
The issue is that the Safari autofill support is very, very, very limited. The 1Password JS extension is far more comprehensive in its support for filling passwords with one time tokens, credit cards, contact details and forms in general. It is also much better at picking up when password has actually changed, vs pages that contain a fake "new password" string where you can fill the old and the new one and it changes the password, but if you don't touch it, it just saves other stuff. Safari just throws "Your password changed!!!!! Update now?" and just overrides with a garbage password.
If 1Password can do all that stuff from JS, so can Safari, but like everything with Apple, the autofill feature is half-assed at best, and has been for years.
It's even worse on mobile, whereas the 1Password JS extension works the same and includes the same capabilities.
