DEF CON 33 - Browser Extension Clickjacking: One Click and Your Credit Card Is Stolen - Marek Tóth

Share

Summary

In this talk, Marek Tóth discusses the vulnerability of browser extensions to clickjacking attacks, specifically focusing on how these attacks can lead to the theft of sensitive user data like credit card information and login credentials. He categorizes clickjacking techniques into iframe-based and DOM-based methods, demonstrating how attackers can exploit intrusive web elements and manipulate extension UIs to trick users into unknowingly revealing their data.

Highlights

Introduction to Clickjacking and Intrusive Web Elements
00:00:00

The speaker introduces himself as a cybersecurity researcher specializing in web application security from the Czech Republic. He notes that clickjacking is often out of scope for bug bounty programs, but his research demonstrates its continued impact. He discusses common intrusive web elements (cookie banners, popups, CAPTCHAs) that force users to click, which attackers can exploit.

Browser Extension Basics and Password Managers
00:04:07

An overview of browser extension components is provided, including background scripts, content scripts, and the manifest.json file, emphasizing how authentication persists across sessions. The speaker highlights that extension developers bear more security responsibility than web application developers. He then introduces the password managers selected for his research, focusing on their manual autofill features as the target for clickjacking, as this involves user interaction.

Iframe-Based Extension Clickjacking
00:09:14

Marek explains iframe-based clickjacking, which exploits misconfigurations in the manifest.json file, specifically in the 'web accessible resources' section. He demonstrates how an attacker can load an extension's interface (e.g., North Pass's app.html) within an invisible iframe on a malicious domain. A demo shows how this allows an attacker to trick a user into sharing all their stored passwords and sensitive data with just four clicks, leading to a $10,000 bounty for this vulnerability. Mitigation involves setting necessary files, whitelisting domains, and using X-Frame-Options or Content Security Policy.

DOM-Based Extension Clickjacking: Transparency Techniques
00:14:40

The core of the research, DOM-based extension clickjacking, is introduced. This method manipulates UI elements injected by browser extensions into the DOM. It doesn't use iframes but changes the visibility of elements using JavaScript, typically by adjusting opacity. Various techniques are discussed: targeting the root element, child elements (especially with shadow DOM), and parent elements like the `body` or `html` tags, often combined with background images to create a convincing illusion. A demo illustrates how changing opacity to zero makes the autofill menu invisible, allowing an attacker to steal credit card details after a user clicks on an apparent 'cookie' prompt.

DOM-Based Extension Clickjacking: Overlay Techniques
00:23:14

This section details overlay techniques where attackers place their own elements over the extension's UI. Partial overlay involves placing elements around the autofill menu, while full overlay places them completely over the UI. To make the underlying extension elements clickable despite the overlay, the `pointer-events: none` CSS property or the Popover API is used. A demo showcases how a user, clicking on a transparent overlay, unknowingly interacts with the hidden autofill menu, leading to data theft.

Exploit Code Structure and Click Position
00:27:51

The speaker provides an example of the exploit code used for full overlay, detailing the creation of a cookie banner, making it a top layer with the Popover API, and using `pointer-events: none`. It also shows how a personal data form is created, focused to trigger autofill, and its data is exfiltrated. Two types of click positions are discussed: fixed click positions (e.g., over cookie consent buttons) and dynamic positions that follow the mouse cursor, enabling a 'one-click' data leak anywhere on the page.

Vulnerability Assessment and Impact
00:30:50

A table is presented showing that all tested password managers were vulnerable to some form of DOM-based clickjacking. The impact includes the theft of credit card numbers, expiration dates, security codes, and personal data (name, email, phone, address) as these are not domain-specific. Six out of nine password managers supporting manual autofill for credit cards were vulnerable, and eight out of ten for personal data. A demo shows Robiform leaking credit card details.

Threats on Vulnerable Websites and Passkeys
00:34:30

The discussion extends to attacks on websites with vulnerabilities like XSS, subdomain takeover, or web cache poisoning. Login credentials (username, password, and TOTP codes) can be stolen. A key limitation is that only credentials for the specific vulnerable domain can be stolen, but an advantage is that most password managers autofill across subdomains by default. Passkeys are also at risk, with four out of seven tested FIDO alliance certified solutions vulnerable to authentication flow hijacking, allowing an attacker to gain persistent access. A demo illustrates how XSS on a trusted domain can extract login credentials, TOTP, credit card, and personal data with a few clicks.

Mitigation, User Recommendations, and Conclusion
00:43:59

Limitations of the attack include auto-logout features and closing the browser. Mitigation strategies for developers are complex and involve using Mutation Observer API, closed shadow DOM, detecting body/HTML opacity changes, and sophisticated checks for overlaid elements. Simple protection doesn't exist, suggesting a need for new browser APIs. User recommendations include disabling manual autofill (using copy-paste instead), setting exact URLs for autofill, or enabling 'Site access only on click' for Chromium-based browsers. The talk concludes by reiterating that clickjacking is not dead, browser extensions are highly vulnerable, and just one click can lead to significant data theft.

Recently Summarized Articles

Loading...