Comment by esseph
2 days ago
Autofill can be an attack vector.
Lookup Dom-based clickjacking. It will "autofill" the field but on submission it sends the data to an attacker.
"The new technique detailed by Tóth essentially involves using a malicious script to manipulate UI elements in a web page that browser extensions inject into the DOM -- for example, auto-fill prompts, by making them invisible by setting their opacity to zero.
The research specifically focused on 11 popular password manager browser add-ons, ranging from 1Password to iCloud Passwords, all of which have been found to be susceptible to DOM-based extension clickjacking. Collectively, these extensions have millions of users."
""All password managers filled credentials not only to the 'main' domain, but also to all subdomains," Tóth explained. "An attacker could easily find XSS or other vulnerabilities and steal the user's stored credentials with a single click (10 out of 11), including TOTP (9 out of 11). In some scenarios, passkey authentication could also be exploited (8 out of 11).""
More info: https://marektoth.com/blog/dom-based-extension-clickjacking/
Originally discussed at DEFCON 33
No comments yet
Contribute on Hacker News ↗