At the Def Con 33, a method of attack on browser extensions was presented, which involves setting their interface elements in the viewing page. This type of attack can be used on extensions with password managers, potentially leading to a leakage of stored information such as authentication parameters, credit card details, personal data, and one-time passwords for two-factor authentication. The vulnerability affects a variety of password managers that were tested, including 1Password, BitWarden, LastPass, KeepassXC-Browser, NordPass, ProtonPass, and Keeper.
The attack method is based on the manipulation of browser extensions that subvert a dialogue with a password prompt directly on the displayed page by integrating its elements into the DOM (Document Object Model) of the page. If an attacker is able to execute their JavaScript code on the page, for instance through a cross-site scripting (XSS) vulnerability on the site, they can manipulate all elements in the DOM, including the substituted dialogue created by the attacking user to trick the victim into clicking. This can involve presenting fake requests for cookie permissions, advertisements, or captcha forms. By placing a dialogue beneath the transparent dialogue of the password manager and manipulating the button positions on the screen, the attacker can deceive the user into clicking on what they believe to be a harmless element, when in reality they are confirming authentication parameters in the password dialogue.
The attack follows a sequence of steps:
- Creation of an overlay element on the page to encourage a click, disguised as transparent for web forms (“opacity: 0.001” in CSS).
- Waiting for the user to click on the overlay element, which, with the right combination of visible and invisible elements, will result in a click on a button in a transparent dialogue and autofill fields by the password manager.
- Extraction of data from the filled web form and sending it to the attacker’s server.