{"id":49699,"date":"2025-10-20T16:51:15","date_gmt":"2025-10-20T20:51:15","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=49699"},"modified":"2025-10-21T15:25:48","modified_gmt":"2025-10-21T19:25:48","slug":"password-manager-browser-extension-clickjacking","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2025\/10\/20\/password-manager-browser-extension-clickjacking\/","title":{"rendered":"Password Manager Browser Extension Clickjacking"},"content":{"rendered":"<p><a href=\"https:\/\/www.macworld.com\/article\/2889403\/if-you-use-icloud-passwords-on-chrome-or-firefox-your-data-may-be-at-risk.html\">Michael Simon<\/a> (via <a href=\"https:\/\/www.macintouch.com\/post\/47997\/icloud-passwords-security-problems\/\">Ric Ford<\/a>):<\/p>\n<blockquote cite=\"https:\/\/www.macworld.com\/article\/2889403\/if-you-use-icloud-passwords-on-chrome-or-firefox-your-data-may-be-at-risk.html\"><p>If you use Firefox on a Mac or PC, Apple offers a handy browser extension that puts your iCloud passwords right at your fingertips without needing to open a separate app. However, a new warning might make you think twice before you use it next time.<\/p><p>As <a href=\"https:\/\/thehackernews.com\/2025\/08\/dom-based-extension-clickjacking.html\">reported by The Hacker News<\/a>, a new Document Object Model vulnerability has been discovered by security researcher Marek T&oacute;th that could allow attackers to steal users&rsquo; credit card details, personal data, and login credentials through so-called clickjacking or UI redressing.<\/p><p>[&#8230;]<\/p><p>While some flaws have been patched, several popular <a href=\"https:\/\/www.macworld.com\/article\/668938\/best-password-managers-2.html\">password manager<\/a> extensions are at risk, including 1Password, LastPass, and iCloud. With iCloud Passwords, researchers specifically point to version 3.1.25, which <a href=\"https:\/\/addons.mozilla.org\/en-US\/firefox\/addon\/icloud-passwords\/\">Firefox<\/a> uses. <a href=\"https:\/\/chromewebstore.google.com\/detail\/icloud-passwords\/pejdijmoenmkgeppbflobdenhhabjlaj\">Chrome<\/a> uses a newer version, 3.1.27, though it appears as though the flaw still exists.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/thehackernews.com\/2025\/08\/dom-based-extension-clickjacking.html\">Ravie Lakshmanan<\/a>:<\/p>\n<blockquote cite=\"https:\/\/thehackernews.com\/2025\/08\/dom-based-extension-clickjacking.html\"><p>To pull off the attack, all a bad actor has to do is create a fake site with an intrusive pop-up, such as a login screen or a cookie consent banner, while embedding an invisible login form such that clicking on the site to close the pop-up causes the credential information to be auto-filled by the password manager and exfiltrated to a remote server.<\/p><p>&ldquo;All password managers filled credentials not only to the &lsquo;main&rsquo; domain, but also to all subdomains,&rdquo; T&oacute;th explained. &ldquo;An attacker could easily find XSS or other vulnerabilities and steal the user&rsquo;s stored credentials with a single click (10 out of 11), including TOTP (9 out of 11). In some scenarios, passkey authentication could also be exploited (8 out of 11).&rdquo;<\/p><\/blockquote>\n\n<p>I dislike this whole architecture of integrating password managers via browser extensions. I don&rsquo;t want the page content to be able to fool the extension, and I don&rsquo;t like the extension being able to read the page content.<\/p>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2025\/03\/19\/apple-passwords-phishing-vulnerability\/\">Apple Passwords Phishing Vulnerability<\/a><\/li>\n<\/ul>\n\n<p id=\"password-manager-browser-extension-clickjacking-update-2025-10-21\">Update (<a href=\"#password-manager-browser-extension-clickjacking-update-2025-10-21\">2025-10-21<\/a>): <a href=\"https:\/\/secrets.app\/blog\/2025\/09\/dumb-extensions\/\">Paulo Andrade<\/a> (<a href=\"https:\/\/mastodon.social\/@pfandrade\/115412224386368319\">Mastodon<\/a>):<\/p>\n<blockquote cite=\"https:\/\/secrets.app\/blog\/2025\/09\/dumb-extensions\/\"><p>Secrets&rsquo; browser extension does not automatically drop down or insert credentials when a login or form field is detected. Instead, it requires the user to explicitly trigger a fill (click its icon, or invoke it via the toolbar or a keyboard shortcut) and select which credential to fill on the main app itself.<\/p><p>Such a &ldquo;dumb&rdquo; mode reduces the attack surface, especially for these kinds of UI\/overlay, clickjacking, or pointer manipulation attacks. If autofill doesn&rsquo;t happen automatically, there&rsquo;s no invisible dropdown to trick. The attacker can&rsquo;t overlay or capture clicks if nothing is shown by default.<\/p><p>By requiring consent in the main app, Secrets minimizes exposure. You hold back the credential until absolutely necessary. That reduces what malicious scripts on the page could grab.<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Michael Simon (via Ric Ford): If you use Firefox on a Mac or PC, Apple offers a handy browser extension that puts your iCloud passwords right at your fingertips without needing to open a separate app. However, a new warning might make you think twice before you use it next time.As reported by The Hacker [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2025-10-20T20:51:18Z","apple_news_api_id":"53fcfa4a-16a3-4052-a9f2-ab15bb19e29c","apple_news_api_modified_at":"2025-10-21T19:25:51Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAA==","apple_news_api_share_url":"https:\/\/apple.news\/AU_z6ShajQFKp8qsVuxninA","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[284,2165,2095,279,456,1417,1410,30,2742,355,1849,48],"class_list":["post-49699","post","type-post","status-publish","format-standard","hentry","category-technology","tag-1password","tag-apple-password-manager","tag-exploit","tag-firefox","tag-googlechrome","tag-icloud-keychain","tag-lastpass","tag-mac","tag-macos-tahoe-26","tag-privacy","tag-secrets","tag-security"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/49699","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=49699"}],"version-history":[{"count":2,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/49699\/revisions"}],"predecessor-version":[{"id":49708,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/49699\/revisions\/49708"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=49699"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=49699"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=49699"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}