Previous Card
Dummy's Guide to Modern LLM Sampling Intro Knowledge
This research introduces a new DOM-based extension clickjacking technique, demonstrating that browser extensions, particularly password managers, are still highly vulnerable despite traditional web clickjacking being largely mitigated. The study found all 11 tested password managers susceptible, risking sensitive user data like credit cards, personal information, and login credentials through a single malicious click. Millions of users are at risk, and several major vendors have yet to patch these 0-day vulnerabilities. ✨
Article Points:
1
Browser extensions are the new target for clickjacking attacks.
2
New DOM-based clickjacking technique found 0-days in 11 password managers.
3
Single click can steal credit cards, personal data, logins, and TOTP.
4
Password managers autofill credentials across subdomains, increasing risk.
5
Many major password managers still haven't fixed these vulnerabilities.
6
Users should set Chromium extension site access to "on click" for protection.
Problem Statement
Clickjacking not dead
Browser extensions vulnerable
Web clickjacking largely solved
Attack Techniques
IFRAME-based
DOM-based (New)
- Extension Element
- Parent Element
- Overlay
Impact
Credit Card/Personal Data theft
Login credentials/TOTP theft
Passkey authentication hijacking
Millions of users at risk
Vulnerable Password Managers
Bitwarden
1Password
iCloud Passwords
Enpass
LastPass
LogMeOnce
Mitigation
Extension Element fixes
Parent Element fixes
Overlay fixes
New browser API needed
Recommendations