DEF CON 33 - Browser Extension Clickjacking: One Click and Your Credit Card Is Stolen - Marek Tóth

The DEF CON presentation by Marek Tóth exposed a new class of browser‑extension clickjacking that lets attackers harvest credit‑card and password data with a handful of user clicks. By targeting the manual‑autofill feature of popular password‑manager extensions, the researcher demonstrated how malicious pages can render extension UI elements invisible and capture user input without any visible warning.

Two attack vectors were detailed. The first mirrors classic web clickjacking: a transparent iframe loads an extension’s web‑accessible resource, exploiting missing "matches" in Manifest V2 files. Using North Pass as a case study, Tóth showed that a victim could share an entire vault with an attacker after only four clicks, earning a $10,000 bounty. The second, more novel approach manipulates the DOM injected by extensions—changing opacity, overlaying elements, or using pointer‑events:none—to hide autofill menus from view while still triggering them when the user clicks on intrusive page elements such as cookie banners.

Live demos illustrated the mechanics: opacity‑zero overlays on Proton Pass and other managers caused the autofill dropdown to appear behind a fake consent dialog, allowing the attacker to capture card numbers, expiration dates, and CVVs. The speaker also highlighted the limitations of existing defenses; CSP headers and X‑Frame‑Options often protect traditional sites but not extension‑specific resources, especially when developers rely on Manifest V2 defaults.

The findings underscore an urgent need for extension developers to adopt Manifest V3, explicitly whitelist domains in "matches", enforce strict Content‑Security‑Policy rules, and limit web‑accessible resources to the minimum required. Security researchers and bounty programs should prioritize these vectors, and users should be cautious when granting extensions permission to autofill sensitive data.