Security expert Marek Tóth revealed a new attack technique called DOM-based Extension Clickjacking, which manipulates password manager extension UI elements injected into web page DOMs to invisibly steal sensitive data such as credit card details, login credentials, and two-factor authentication codes. Unlike traditional clickjacking that uses invisible iframes, this method hides extension UI elements using JavaScript opacity and DOM overlay manipulations, triggering autofill on malicious clicks disguised as legitimate webpage elements like cookie banners or CAPTCHAs. Extensive testing showed all eleven tested password managers were initially vulnerable, affecting around 40 million active installations across Chrome, Firefox, and Edge platforms. Six password managers were vulnerable to credit card data theft, eight to personal information exfiltration, and ten to credential theft including TOTP codes. Following responsible disclosure in April 2025, some vendors such as Dashlane and Keeper have patched their extensions, but major players like 1Password, Bitwarden, and LastPass remain exposed as of August 2025, putting 32.7 million users at risk. This vulnerability highlights the difficulty of securing browser extensions against advanced client-side attacks, as traditional HTTP header defenses do not mitigate DOM-based clickjacking. Attackers can exploit these flaws through attacker-controlled websites or subdomain attacks leveraging XSS or subdomain takeovers, expanding the risk due to password managers autofilling credentials on all subdomains. Users are advised to configure extension site access to ‘on click’ in Chromium-based browsers, keep extensions updated, and consider disabling autofill features to reduce risk, though at the expense of convenience. The discovery emphasizes the evolving threat landscape in web security and the critical need for ongoing research and improved defenses in browser extension ecosystems to protect sensitive user data.
👉 Pročitaj original: Cyber Security News
