Search the Community

Came across the following article from another tech news reader: DOM-based Extension Clickjacking: Your Password Manager Data at Risk | Marek Tóth Looks like Enpass is one of the many password manager extensions affected: Mitigation Browser extension developers should focus on the following parts. The missing fix of one method leads to the extension remaining vulnerable. Extension Element • styles cannot be changed (MutationObserver) • using "Closed Shadow-Root" Parent Element • BODY/HTML opacity detection • using Popover API for extension should protect this method Extension Overlay • last DOM element detection (z-index conflict) • popover elements listing - when the autofill menu is opened, check if any other "top layer" elements exist → if another element exists the autofill menu should close → or just don't show extension UI if exist "popover" element • elementsFromPoint() can be used for partial overlay but cannot be used for popover elements (pointer-events:none are ignored) → The content script can temporarily remove pointer-events:none from all popover elements before filling in data, then check the "top layer" state using elementsFromPoint() and fill the data accordingly. Doesn't exist simple protection.⚠️ Some platform-level support should be created - new browser API protection for this clickjacking technique.⚠️ The proposed solutions are still handled through javascript and conflicts may occur between exploit code and extension content script (extension white-box analysis can be made). The safest solution is to display a new popup window - but that will be very inconvenient for users. Alternatively, a context menu or a system dialog for autofill may then be displayed. Consider addressing this issue ASAP Enpass team.