Password manager attack

[Alan Karp]

In an earlier email, I posited a browser extension that created an invisible password field and induced the user to click on it.  As Kevin and Jas both pointed out, such a malicious extension could steal passwords far more easily.

I remembered a couple of papers that described such attacks, but I couldn't find them at the time.  I just spent the morning looking for them and found one, 

https://crypto.stanford.edu/~dabo/pubs/papers/pwdmgrBrowser.pdf.  

It's mostly about autofill vulnerabilities, but it contains the following paragraph:

We created a simple “clickjacking” attack [23, 38, 25]. The attacker presents the user with a benign form seemingly unrelated to the target site. Overlaying the benign form is an invisible iFrame pointing to the target site’s login page. The iFrame is positioned such that when a user interacts with the benign form, they actually interact with the invisible iFrame — in this case, when the user thinks they are filling a form on a benign site, they are actually filling the password in the target site. Once filled, any of the exfiltration techniques described previously can be used to steal the password. This attack steals a password for one site at a time, but could be repeated to steal passwords for multiple sites.

From that analysis, I conclude that I can use "click to fill" only on visible password fields.  "Paste to fill" should be okay on the rest.  That's unfortunate,due to the difficulty of deciding if a DOM element is visible.

--------------
Alan Karp