A DOM-based extension clickjacking technique manipulates UI elements that browser extensions inject into web pages to exfiltrate sensitive data. A malicious script can set injected UI elements, such as auto-fill prompts, to invisible via opacity zero, enabling a single click on an attacker-controlled page to cause credential auto-fill and data leakage. The technique affects multiple popular password manager browser add-ons, including 1Password and iCloud Passwords, and can expose login credentials, time-based one-time passwords used for 2FA, and credit card details. An attacker can implement the exploit by embedding an invisible login form and an intrusive pop-up that prompts users to click.
Popular password manager plugins for web browsers have been found susceptible to clickjacking security vulnerabilities that could be exploited to steal account credentials, two-factor authentication (2FA) codes, and credit card details under certain conditions. The technique has been dubbed Document Object Model ( DOM)-based extension clickjacking by independent security researcher Marek Tóth, who presented the findings at the DEF CON 33 security conference earlier this month.
The new technique detailed by Tóth essentially involves using a malicious script to manipulate UI elements in a web page that browser extensions inject into the DOM -- for example, auto-fill prompts, by making them invisible by setting their opacity to zero. The research specifically focused on 11 popular password manager browser add-ons, ranging from 1Password to iCloud Passwords, all of which have been found to be susceptible to DOM-based extension clickjacking. Collectively, these extensions have millions of users.
Collection
[
|
...
]