Hot Take Researcher Exposes Zero-Day Clickjacking Vulnerabilities in Major Password Managers

[ForgottenSeer 123960]

is NoScript extension any help?

EDIT seeing some of the posts about NoScript after the fact, MT jumped me ahead in this thread for some reason missing earlier posts...

The most successful approach for this particular attack is to manually copy and paste credentials instead of using autofill.

 

[simmerskool]

The most successful approach for this particular attack is to manually copy and paste credentials instead of using autofill.

I'm not as deeply experienced or knowledgeable as some of you (y'all know who you are) but I somehow "intuited" that -- in my VM (copying from the host).

 

[piquiteco]

The most successful apprDo clickjackers use CSS?oach for this particular attack is to manually copy and paste credentials instead of using autofill.

Do clickjacking use CSS?

 

[ForgottenSeer 123960]

Do clickjacking use CSS?

Yes, clickjacking attacks commonly use CSS (Cascading Style Sheets) to manipulate the visual presentation of a web page. The attacker overlays an invisible or transparent malicious element, such as a button or an iframe, on top of the legitimate page content. This tricks the user into clicking on the malicious element when they think they are interacting with the genuine page.

 

[piquiteco]

Yes, clickjacking attacks commonly use CSS (Cascading Style Sheets) to manipulate the visual presentation of a web page. The attacker overlays an invisible or transparent malicious element, such as a button or an iframe, on top of the legitimate page content. This tricks the user into clicking on the malicious element when they think they are interacting with the genuine page.

Okay, I understand. Thank you! And do you think this extension CSS Exfil Protection can protect against these types of attacks?

 

[ForgottenSeer 123960]

Okay, I understand. Thank you! And do you think this extension CSS Exfil Protection can protect against these types of attacks?

Unfortunately, no. The browser extension CSS Exfil Protection is designed to prevent a very specific type of data exfiltration attack that uses CSS selectors to steal sensitive information. It does not protect against clickjacking.

 

[oldschool]

I stand by this line of thinking to cut through all of the rigamarole. I've probably posted this at least a half dozen times in the past.

If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions. I use Chrome, but the other major browsers like Edge or Firefox are fine too. They can isolate their trusted UI from websites, they don’t break the sandbox security model, they have world-class security teams, and they couldn’t be easier to use.

No doubt there will be many people reading this who don’t like this advice. All I can say is I’ve heard all the arguments, and stand by my conclusions.

Password Managers.

 

[piquiteco]

@Divergent Is there a risk of clickjacking only if you use a browser with autofill and browse with your PW unlocked?

 

[piquiteco]

I stand by this line of thinking to cut through all of the rigamarole. I've probably posted this at least a half dozen times in the past.

Browser databases are not encrypted on your device, so anyone with even minimal technical knowledge can extract all your passwords saved in your browser, specifically on your computer and laptop.

 

[oldschool]

Browser databases are not encrypted on your device, so anyone with even minimal technical knowledge can extract all your passwords saved in your browser, specifically on your computer and laptop.

And who would that be, specifically?

 

[ForgottenSeer 123960]

@Divergent Is there a risk of clickjacking only if you use a browser with autofill and browse with your PW unlocked?

This vulnerability exploits the autofill functionality. If your vault is locked, the extension cannot autofill information, and the attack cannot succeed. The moment you unlock your vault, however, the risk is present.

 

[piquiteco]

And who would that be, specifically?

I will use Chrome as an example, but this applies to any Chromium-based browser. Chrome saves your passwords in this folder "C:\Users\User\AppData\Local\Google\Chrome\User Data\Default" file "Login Data" in an SQLite file format without any encryption. If you open it using WebBrowserPassView from nirsoft, you can see all your saved passwords. It's a legitimate programme, but now imagine what a hacker could do? And infostealers? The file that Chrome saves your passwords and those of any other browser does not encrypt locally, only in the cloud, understand? This is the only weak point in Windows. Android is already more secure than Windows because it would require root access to access the database. You can test WebBrowserPassView on your computer yourself and you will see all your saved passwords, just like in the image below from WebBrowserPassView. The dedicated password manager's database is encrypted, so even if a hacker gains access, it will be useless because it is encrypted, unreadable, and all the data saved in the database is scrambled, unless they manage to break the AES 256-bit encryption, which has not been broken to date. Could it be broken one day? Yes, it is possible. As technology advances and quantum computers begin to gain ground, it may one day be possible to break this encryption.

Spoiler: WebBrowserPassView

 

[Gangelo]

I will use Chrome as an example, but this applies to any Chromium-based browser. Chrome saves your passwords in this folder "C:\Users\User\AppData\Local\Google\Chrome\User Data\Default" file "Login Data" in an SQLite file format without any encryption. If you open it using WebBrowserPassView from nirsoft, you can see all your saved passwords. It's a legitimate programme, but now imagine what a hacker could do? And infostealers? The file that Chrome saves your passwords and those of any other browser does not encrypt locally, only in the cloud, understand? This is the only weak point in Windows. Android is already more secure than Windows because it would require root access to access the database. You can test WebBrowserPassView on your computer yourself and you will see all your saved passwords, just like in the image below from WebBrowserPassView. The dedicated password manager's database is encrypted, so even if a hacker gains access, it will be useless because it is encrypted, unreadable, and all the data saved in the database is scrambled, unless they manage to break the AES 256-bit encryption, which has not been broken to date. Could it be broken one day? Yes, it is possible. As technology advances and quantum computers begin to gain ground, it may one day be possible to break this encryption.

Spoiler: WebBrowserPassView

View attachment 290395

I am not a cybersecurity expert but wouldn't such an action (accessing user's appdata folder) require admin priviledges?
Isn't it already 'game over' if an attacker has admin priviledges in your machine?

I think that at least for Edge, the local database is encypted anyway:

Microsoft Edge password manager security

Microsoft Edge password manager security

learn.microsoft.com

 

[piquiteco]

I am not a cybersecurity expert but wouldn't such an action (accessing user's appdata folder) require admin priviledges?

Yes, that's correct.

Isn't it already 'game over' if an attacker has admin priviledges in your machine?

Yes, game over. What's more, malware can easily obtain this data, such as infostealers, and exfiltrate your browser database to an attacker. The issue under discussion here is the encryption of a dedicated password manager database. Even if your PM database falls into the hands of a hacker, it would be useless because the data is unreadable, in other words, encrypted.

I think that at least for Edge, the local database is encypted anyway:

Microsoft Edge password manager security

Microsoft Edge password manager security

learn.microsoft.com

That's not true, the article itself contradicts it. "The profile encryption key is protected using Chromium's OSCrypt" Windows, the storage area is DPAPI. Don't believe everything Microsoft says. Your passwords can still be easily viewed with WebBrowserPassView. Try it yourself by saving a fictitious account and any password, then draw your own conclusions.

 

[BSONE]

I have 1Password on our Desktop PC in a permanent unlocked state as the PC does not have biometric support. I unlock with biometrics on other devices.
My faith in password managers has always been their resilience to fake domains such as ones with cyrillic spelling, as they will only autofill on the correct URL.
I have a question:
If I go to a legitimate website that is saved in my password manager which has been compromised, will it only leak that sites password details?

 

[Andy Ful]

Regardless of technical skill, every user must develop strong security habits.

I would change "must" to "should".
However, most (average) users will skip "must", "should", and security habits.

 

[Parkinsond]

The clipboard will also be exposed if it is not cleaned within a certain time

Keepassxc is set to autoclear clipboard after autofill (after 10 seconds, and can be adjusted to a shorter period manually).

 

[Parkinsond]

How users will go onto that website, perhaps phishing or SEO poisoning, or hoping that typo will occur

Can be easily mitigated by not manually typing the webaddress, and only using the one saved in bookmarks or in the password manager.

 

[Andy Ful]

A vulnerability in the password manager itself is used to break the SOP and actually, the content from the real site (iframe) is being accessed by the malicious site, which should’t happen.

In this case, manually typing credentials will still keep them safe—it is the password manager that is the problem.

It will help in this case, but will fail in other common cases, like phishing websites that pretend to be benign ones. Most (average) users cannot recognize simple phishing and will insert credentials.
The solution should prevent common methods:

1. Fake websites that pretend to be benign ones.
2. Fake websites that use the benign website to fool password managers (as mentioned in your post).
3. Compromised benign websites (password recovery, compromised subdomains, etc.).

It would be good if the solution could also prevent harvesting credentials from web browsers' encrypted wallets stored on the disk.

 

[Brownie2019]

A researcher has tested nearly a dozen password managers and found that they were all vulnerable to clickjacking attacks that could lead to the theft of highly sensitive data.
The research was conducted by Marek Tóth and it was presented earlier this month at the DEF CON conference. The researcher has now also published a blog post detailing his findings.
The researcher targeted 1Password, Bitwarden, Dashlane, Enpass, Keeper, LastPass, LogMeOnce, NordPass, ProtonPass, RoboForm, and Apple’s iCloud Passwords, specifically their associated browser extensions.
These browser extensions are very popular. An analysis by the researcher found that they have a total of nearly 40 million active installations, based on data from the official browser extension repositories for Chrome, Edge and Firefox.

Rea the full Article:

Password Managers Vulnerable to Data Theft via Clickjacking

A researcher has tested nearly a dozen password managers and found that they were all vulnerable to clickjacking attacks.

www.securityweek.com