Potential DOM-Based Clickjacking Vulnerability

[headEx74]

Description:

A potential security vulnerability has been identified that could affect browser extensions like Kee. The issue involves DOM-based clickjacking attacks where malicious websites could potentially overlay or manipulate extension UI elements to trick users into unintended actions.

Reference:
https://marektoth.com/blog/dom-based-extension-clickjacking/

Potential Impact:

• Malicious websites could potentially overlay Kee's password fill dialogs or UI elements
• Users might be tricked into authorizing password fills or other sensitive actions on malicious sites
• Could lead to credential theft or unauthorized access to password data

Would appreciate investigation and feedback from the development team on current protections against this type of attack vector.

[marektoth]

I've done some quick test of Kee, and yes, it is vulnerable to DOM-based extension clickjacking

But there’s another problem as well.

Kee uses automatic autofill (0-click) as the default setting, so no click is needed at all - meaning the clickjacking vulnerability doesn't even need to be exploited.

Automatic autofill research: https://marektoth.com/blog/password-managers-autofill/

Steps:

1. Save your credentials: https://websecurity.dev/password-managers/login/
2. Open: https://websecurity.dev/password-managers/autofill/ a and you will see your credentials
   (Autosubmit may cause an issue with displaying credentials.)

DOM-based extension clickjacking vulnerability:

Extension Element: can be changed opacity for extension element
Parent Element: can be changed opacity for body/html
Overlay: vulnerable full overlay (tested only this method)

Demo sites: full overlay - login credentials will be in console
opacity:0.5: https://websecurity.dev/overlay/login-opacity.html
opacity:0: https://websecurity.dev/overlay/login.html

Impact:
Logins credentials stealing - only for vulnerable (sub)domain (XSS, subdomain takeover etc.)

• Kee fills in data on other subdomains than the ones where the data was stored

✅ Autofill for credit card/personal data is not supported in Kee (or it just didn’t work for me)

[headEx74]

Anything new about this issue?