Hot Take Researcher Exposes Zero-Day Clickjacking Vulnerabilities in Major Password Managers

Wrecker4923 said:
KeepassXC extension also injects into the DOM by default, which would be vulnerable to this kind of manipulation as well, even if it wasn't tested in the research. In both Bitwarden and KeepassXC, the behavior can be turned off. Infrequent unlocking and not using a bad URL would probably prevent this as well.
Click to expand...
It would be helpful and appreciated if you'd share how to turn off the behavior in KeePassXC and Bitwarden as you mentioned. TIA!
 
  • Hundred Points
Reactions: anirbandutta01
Bill K said:
It would be helpful and appreciated if you'd share how to turn off the behavior in KeePassXC and Bitwarden as you mentioned. TIA!
Click to expand...
  • Bitwarden extension: Settings > Autofill > Show autofill suggestions on form fields (OFF)
  • KeePassXC extension: Settings > "Activate * icon" (there are three) (OFF)
Note that for both extensions, you can use keyboard shortcuts (requiring your explicit interaction) to autofill. In Bitwarden, you can use the extension icon to autofill as well; you can probably do this with KeePassXC's too, but I haven't tested it.
 
  • Thanks
  • Like
Reactions: amir 957, anirbandutta01 and Bill K
Another simple method is using autofill with incomplete passwords. It is as simple as other methods. After autofill, the user must complete the full password, for example, by manually adding "4$" (or any easy phrase) at the end. This method can prevent clickjacking, clipboard hijacking, keyloggers, screenloggers, stealing stored passwords in web browser encrypted wallets, etc. Also, even if the master password is compromised, the passwords stored in the wallet are useless without the "end phrase" (stored only in the user's mind).

Edit.
This requires first saving the incomplete password in the password manager and then changing the password in the website by adding the "end phrase".
 
Last edited:
  • Hundred Points
Reactions: simmerskool and Parkinsond
Andy Ful said:
Another simple method is using autofill with incomplete passwords. It is as simple as other methods. After autofill, the user must complete the full password, for example, by manually adding "4$" (or any easy phrase) at the end. This method can prevent clickjacking, clipboard hijacking, keyloggers, screenloggers, stealing stored passwords in web browser encrypted wallets, etc.
Click to expand...
Is using manual copy and paste from password manager more safe than autofill (without browser extension)?
 
  • Like
Reactions: Sorrento and Andy Ful
Parkinsond said:
Is using manual copy and paste from password manager more safe than autofill (without browser extension)?
Click to expand...

I do not think so. Autofill checks if the URL is valid, so the credentials will not be autofilled on the phishing site. Also, manual copy/paste is vulnerable to clipboard hijacking.
 
  • Hundred Points
Reactions: Parkinsond
Parkinsond said:
So how autofill get exploited clickjacking?
Click to expand...

The clickjacking can exploit the autofill by compromising the valid URLs (usually via subdomains). This happens rarely compared to other phishing methods, which commonly use fake websites.
 
Last edited:
  • +Reputation
Reactions: Parkinsond
Parkinsond said:
This "bypassable", not stoppable 😊
Click to expand...
"bypassable" - Yes, there's nothing that you can do about it.
"not stoppable" - Yes not stoppable, unless user opens webpage console and knows how to read the code and identify malicious code/suspicious code that should not be there before entering the I&A infos.

Manually entering credentials does not matter. The legitimate webpage's forms/input fields are compromised by the clickjacking exploit ("abuse" of the legitimate webpage URL via subdomains). It's something like a Man-in-the-Webpage/Man-in-the-Webform.
 
  • Hundred Points
  • +Reputation
Reactions: Trident and Parkinsond
bazang said:
"bypassable" - Yes, there's nothing that you can do about it.
"not stoppable" - Yes not stoppable, unless user opens webpage console and knows how to read the code and identify malicious code/suspicious code that should not be there before entering the I&A infos.

Manually entering credentials does not matter. The legitimate webpage's forms/input fields are compromised by the clickjacking exploit ("abuse" of the legitimate webpage URL via subdomains). It's something like a Man-in-the-Webpage/Man-in-the-Webform.
Click to expand...
and even web protection (including scan of encrypted connections) cannot detect it?
 
Parkinsond said:
and even web protection (including scan of encrypted connections) cannot detect it?
Click to expand...
Scanning the encrypted connection does not matter. The insecurity is not in the connection, but the webforms. Webforms are in a user's browser but what forms are there and where the input data is submitted is done web server side - in this particular case.
 
  • +Reputation
Reactions: Parkinsond and Trident
bazang said:
Scanning the encrypted connection does not matter. The insecurity is not in the connection, but the webforms. Webforms are in a user's browser but what forms are there and where the input data is submitted is done web server side - in this particular case.
Click to expand...
Some AVs do perform script scanning (which requires the HTTPS scanning to be done early). There is an insane number of variables (script can be heavily obfuscated, exactly this obfuscation may trigger detection, but then it may not be obfuscated as well).

Scanning the scripts does help to an extent, but as we’ve seen with Magecart, it is not a perfect solution.
 
  • +Reputation
Reactions: Parkinsond
Trident said:
Some AVs do perform script scanning (which requires the HTTPS scanning to be done early). There is an insane number of variables (script can be heavily obfuscated, exactly this obfuscation may trigger detection, but then it may not be obfuscated as well).

Scanning the scripts does help to an extent, but as we’ve seen with Magecart, it is not a perfect solution.
Click to expand...
and here one more situation where all security solutions remain helpless, and the only solution is to use brain and copy/paste or autofill the password missing the last two characters, to be filled manually, as directed by Andy.
 
Parkinsond said:
and here one more situation where all security solutions remain helpless, and the only solution is to use brain and copy/paste or autofill the password missing the last two characters, to be filled manually, as directed by Andy.
Click to expand...
It won’t help you!!!!

Imagine that you have one plate with food and the food is poisonous. It doesn’t matter whether you will eat with fork, with chopsticks, with fingers, or you will bend down and eat from the plate. The result will be the same.

This is the same situation.

The problem is the website—this same website you use has now become malicious.
 
Trident said:
It won’t help you!!!!

Imagine that you have one plate with food and the food is poisonous. It doesn’t matter whether you will eat with fork, with chopsticks, with fingers, or you will bend down and eat from the plate. The result will be the same.

This is the same situation.

The problem is the website—this same website you use has now become malicious.
Click to expand...
malwaretips.com

Hot Take - Researcher Exposes Zero-Day Clickjacking Vulnerabilities in Major Password Managers

KeepassXC extension also injects into the DOM by default, which would be vulnerable to this kind of manipulation as well, even if it wasn't tested in the research. In both Bitwarden and KeepassXC, the behavior can be turned off. Infrequent unlocking and not using a bad URL would probably...
malwaretips.com malwaretips.com
 
Parkinsond said:
and here one more situation where all security solutions remain helpless, and the only solution is to use brain and copy/paste or autofill the password missing the last two characters, to be filled manually, as directed by Andy.
Click to expand...
If the webform itself is malicious and/or there is clipboard hijacking, it does not matter. Enter the credentials manually/copy-pasta and that goose gets deep fried.
 
  • Hundred Points
Reactions: Trident

You may also like...