DEF CON 33 – Browser Extension Clickjacking: One Click and Your Credit Card Is Stolen – Marek Tóth

Browser extensions have become increasingly popular for enhancing the web browsing experience. Common examples are ad blockers, cryptocurrency wallets, and password managers. At the same time, modern websites frequently display intrusive elements, such as cookie consent banners, newsletter subscription modals, login forms, and other elements that require user interaction before the desired content can be displayed.

In this talk, I will present a new technique based on clickjacking principles that targets browser extensions, where I used fake intrusive elements to enforce user interaction. In my research, I tested this technique on the 11 most widely used password managers, which resulted in discovering multiple 0-day vulnerabilities that could affect tens of millions of users. Typically, just one click was required from a user to leak their stored private information, such as credit card details, personal data or login credentials (including TOTP). In some cases, it could lead to the exploitation of passkey authentication.

The described technique is general and can be applied to browser extensions beyond password managers, meaning other extensions may also be vulnerable to this type of attack. In addition to describing several methods of this technique, I will also recommend mitigations for developers to protect their extensions against this vulnerability.DEFCONConferenceRead More