Clickjacking password managers

[Alan Karp]

(Let me know if you prefer I not discuss password managers on this list.)

A couple of weeks ago I mentioned that I was concerned about a clickjacking attack against my password manager, but Jas assured me it wasn't a problem.  I've been thinking about it, and I now think it is a problem, and not just for my password manager.

Say that you install a malicious extension with a content script that creates an invisible password field.  There is a known vulnerability when your password manager automatically fills in all password fields on the page, including the one controlled by the malicious extension.  Bitwarden is a popular tool that is vulnerable to this attack.  Dashlane, on the other hand, requires you to use the clipboard if there are multiple password fields. 

Say, instead, that you avoid this problem by requiring a click in the password field.  You are vulnerable if the attacker can induce you to click on the invisible password field.  A solution to this problem is to set up the click handler only for visible password fields.  Another is to require pasting the password if the tool finds more than one password field.  Psono, an open source password manager, avoids this problem by requiring a second click in a popup menu.

Is my concern real?  If so, is my mitigation sufficient?

--------------
Alan Karp

[Kevin Reid]

On Mon, Apr 25, 2022 at 10:51 AM Alan Karp <alan...@gmail.com> wrote:

Say that you install a malicious extension with a content script that creates an invisible password field ...

A malicious extension with permission to insert a content script can do *lots* of things that end up taking over your session. (Exactly which things depend on the design of the web site, but I doubt it would ever be “nothing”.) So, as I see it, there is no point in trying to harden the password entry particularly (except perhaps in the direction of: detect something funny and warn the user *instead* of inserting the password.)

[Alan Karp]

You're right.  A malicious content script could just watch for updates to a password field and steal your password that way.

Are there other ways for a bad guy who doesn't have access to the page content to inject an invisible password field into a page?  I use the origin for iframes, so they're not an issue.

--------------
Alan Karp

--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/friam/CANkSj9WqHrnZD9RDXrBHGkN%2B4PfAj%2BMiJ4YAs1VYi77KiOMgyA%40mail.gmail.com.

[๏̯͡๏ Jasvir Nagra]

That was my argument.  If an attacker can clickjack you via inserting dom elements into the password page, there's other ways they can also pwn you (admittedly CSP actually does mitigate this case a little) but you've (and by you, i mean the page author) really already has lost at that point.  I think it's a mistake to try to defend against the attack because you're not defending against a vuln your extension is introducing - you're defending against a vuln in the page.

-- 

Jasvir Nagra

To view this discussion on the web visit https://groups.google.com/d/msgid/friam/CANpA1Z2Ri0RgQsRWWxMqeq-zf2WG1qzooToVBnY%2BacjEmyEspw%40mail.gmail.com.