DEF CON 33 - Browser Extension Clickjacking: One Click and Your Credit Card Is Stolen - Marek Tóth
Summary
Highlights
The speaker introduces himself as a cybersecurity researcher specializing in web application security from the Czech Republic. He notes that clickjacking is often out of scope for bug bounty programs, but his research demonstrates its continued impact. He discusses common intrusive web elements (cookie banners, popups, CAPTCHAs) that force users to click, which attackers can exploit.
An overview of browser extension components is provided, including background scripts, content scripts, and the manifest.json file, emphasizing how authentication persists across sessions. The speaker highlights that extension developers bear more security responsibility than web application developers. He then introduces the password managers selected for his research, focusing on their manual autofill features as the target for clickjacking, as this involves user interaction.
Marek explains iframe-based clickjacking, which exploits misconfigurations in the manifest.json file, specifically in the 'web accessible resources' section. He demonstrates how an attacker can load an extension's interface (e.g., North Pass's app.html) within an invisible iframe on a malicious domain. A demo shows how this allows an attacker to trick a user into sharing all their stored passwords and sensitive data with just four clicks, leading to a $10,000 bounty for this vulnerability. Mitigation involves setting necessary files, whitelisting domains, and using X-Frame-Options or Content Security Policy.
The core of the research, DOM-based extension clickjacking, is introduced. This method manipulates UI elements injected by browser extensions into the DOM. It doesn't use iframes but changes the visibility of elements using JavaScript, typically by adjusting opacity. Various techniques are discussed: targeting the root element, child elements (especially with shadow DOM), and parent elements like the `body` or `html` tags, often combined with background images to create a convincing illusion. A demo illustrates how changing opacity to zero makes the autofill menu invisible, allowing an attacker to steal credit card details after a user clicks on an apparent 'cookie' prompt.
This section details overlay techniques where attackers place their own elements over the extension's UI. Partial overlay involves placing elements around the autofill menu, while full overlay places them completely over the UI. To make the underlying extension elements clickable despite the overlay, the `pointer-events: none` CSS property or the Popover API is used. A demo showcases how a user, clicking on a transparent overlay, unknowingly interacts with the hidden autofill menu, leading to data theft.
The speaker provides an example of the exploit code used for full overlay, detailing the creation of a cookie banner, making it a top layer with the Popover API, and using `pointer-events: none`. It also shows how a personal data form is created, focused to trigger autofill, and its data is exfiltrated. Two types of click positions are discussed: fixed click positions (e.g., over cookie consent buttons) and dynamic positions that follow the mouse cursor, enabling a 'one-click' data leak anywhere on the page.
A table is presented showing that all tested password managers were vulnerable to some form of DOM-based clickjacking. The impact includes the theft of credit card numbers, expiration dates, security codes, and personal data (name, email, phone, address) as these are not domain-specific. Six out of nine password managers supporting manual autofill for credit cards were vulnerable, and eight out of ten for personal data. A demo shows Robiform leaking credit card details.
The discussion extends to attacks on websites with vulnerabilities like XSS, subdomain takeover, or web cache poisoning. Login credentials (username, password, and TOTP codes) can be stolen. A key limitation is that only credentials for the specific vulnerable domain can be stolen, but an advantage is that most password managers autofill across subdomains by default. Passkeys are also at risk, with four out of seven tested FIDO alliance certified solutions vulnerable to authentication flow hijacking, allowing an attacker to gain persistent access. A demo illustrates how XSS on a trusted domain can extract login credentials, TOTP, credit card, and personal data with a few clicks.
Limitations of the attack include auto-logout features and closing the browser. Mitigation strategies for developers are complex and involve using Mutation Observer API, closed shadow DOM, detecting body/HTML opacity changes, and sophisticated checks for overlaid elements. Simple protection doesn't exist, suggesting a need for new browser APIs. User recommendations include disabling manual autofill (using copy-paste instead), setting exact URLs for autofill, or enabling 'Site access only on click' for Chromium-based browsers. The talk concludes by reiterating that clickjacking is not dead, browser extensions are highly vulnerable, and just one click can lead to significant data theft.