most major password managers vulnerable to 0-day clickjacking attack
Summary
TLDRA researcher has exposed a new zero-day ClickJacking vulnerability affecting major password managers' browser extensions, allowing attackers to steal sensitive data with a single click. This vulnerability targets the autofill feature of password managers like OnePassword, Bitwarden, and LastPass. While some password managers have implemented mitigations, others, such as OnePassword, argue that the issue is user-dependent, and mitigating it may compromise usability. The debate centers around balancing security and user experience, with password managers emphasizing user vigilance on unfamiliar websites.
Takeaways
- π Researchers have exposed a zero-day ClickJacking vulnerability in major password managers, specifically targeting browser extensions.
- π ClickJacking is a method where invisible elements are placed over visible ones to trick users into clicking on them, potentially leaking sensitive data.
- π The new vulnerability is DOM-based extension ClickJacking, where browser extensions inject invisible elements into the DOM to steal credentials and other sensitive information.
- π 11 major password managers were tested, and all were found vulnerable to this DOM-based ClickJacking attack, affecting credentials and even passkeys.
- π The vulnerability was first reported in April, but many password managers, including OnePassword and LastPass, have chosen not to fix it due to usability concerns.
- π OnePassword's stance is that the real risk comes from malicious websites, not their password manager, and they have opted for usability over full security mitigation.
- π The attacker can steal data like credentials or credit card details with minimal user interaction, often requiring only one click on a malicious site.
- π OnePassword acknowledges the vulnerability but argues that protecting against it may cause significant user inconvenience, which they believe outweighs the risk.
- π The vulnerability affects major password managers such as Bitwarden, LastPass, OnePassword, and iCloud Passwords, but not all of them are offering effective fixes.
- π Users can disable autofill features or manually fill in passwords as a precaution, but the trade-off is the loss of convenience and protection against phishing.
- π The ongoing debate highlights the tension between improving security and maintaining user convenience, with password managers trying to find the right balance.
Q & A
What is the new vulnerability discovered in password managers discussed in the video?
-The new vulnerability is a DOM-based extension ClickJacking attack, which affects browser extensions for password managers. It allows attackers to manipulate invisible elements to steal sensitive data, such as credentials and credit card information, from users' password managers.
How does traditional ClickJacking work, and how is the new attack different?
-Traditional ClickJacking uses an invisible iframe over a visible element to trick users into interacting with the hidden iframe. The new DOM-based extension ClickJacking specifically targets password manager extensions injected into the browserβs DOM, making invisible elements interactable with JavaScript to steal data.
What is the significance of subdomains in this attack?
-Subdomains are critical in this attack because attackers can exploit cross-site scripting (XSS) vulnerabilities on subdomains, which are often less secure or overlooked by security teams. If autofill is enabled for a main domain, an attacker can steal credentials even if the attack happens on a subdomain.
Which password managers were found to be vulnerable to this attack?
-The affected password managers include Bitwarden, OnePassword, LastPass, LogMeIn, iCloud Passwords, and others. These password managers' browser extensions were found to be vulnerable to the DOM-based extension ClickJacking.
Why have some password managers chosen not to fix this vulnerability?
-Some password managers, like OnePassword, argue that the risk is minimal because the vulnerability is not inherently in the password manager itself but in external factors, such as visiting a malicious website or having a compromised device. They prioritize usability and have chosen not to implement the proposed mitigations due to their potential to impact user experience.
What mitigation methods have password managers attempted to implement?
-Some password managers have implemented mitigations, such as limiting autofill to exact URL matches, adding prompts for user confirmation before autofilling, or trying to prevent ClickJacking. However, OnePassword has stated that these mitigations may be easily bypassed and are not foolproof.
Why did OnePassword remove the autofill prompt that could have prevented this attack?
-OnePassword removed the autofill prompt after receiving feedback from users who found it intrusive. They opted for a balance between security and usability, choosing to prioritize the convenience of autofill over the added security layer, which could have prevented ClickJacking.
What is the proposed solution for mitigating this vulnerability?
-The most secure solution would be for password managers to implement a dialogue prompt that asks users for confirmation before autofilling credentials. However, this may compromise the user experience by requiring additional clicks and interaction.
How should users protect themselves from this vulnerability?
-Users can protect themselves by disabling autofill in their password manager, especially on unfamiliar websites. This will prevent attackers from exploiting the ClickJacking vulnerability. Users can also manually copy and paste credentials instead of relying on autofill.
Do the researchers believe this vulnerability is serious enough to change password managers?
-The researchers, and the video presenter, believe the vulnerability is not severe enough to warrant changing password managers, as the attack requires tricking users into clicking on a malicious site. They also emphasize that the risk is low for most users, and the trade-off between security and usability makes it a challenging issue to resolve.
Outlines
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowMindmap
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowKeywords
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowHighlights
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowTranscripts
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowBrowse More Related Video
DEF CON 32 - Sneaky Extensions The MV3 Escape Artists - Vivek Ramachandran, Shourya Pratap Singh
You Can Now Disable The Roblox Filter⦠(Swearing Update)
2017 Equifax Data Breach Incident Explained
How an incredibly amateur mistake left Arc Browser wide open to hackers
I Vulnerability Scanned The Entire Internet And Accidentally Made A Botnet
Just How Bad Can One Click Really Be?
5.0 / 5 (0 votes)
