Presented at
DEF CON 33 (2025),
Aug. 9, 2025, 3 p.m.
(45 minutes).
Browser extensions have become increasingly popular for enhancing the web browsing experience. Common examples are ad blockers, cryptocurrency wallets, and password managers. At the same time, modern websites frequently display intrusive elements, such as cookie consent banners, newsletter subscription modals, login forms, and other elements that require user interaction before the desired content can be displayed.
In this talk, I will present a new technique based on clickjacking principles that targets browser extensions, where I used fake intrusive elements to enforce user interaction. In my research, I tested this technique on the 11 most widely used password managers, which resulted in discovering multiple 0-day vulnerabilities that could affect tens of millions of users. Typically, just one click was required from a user to leak their stored private information, such as credit card details, personal data or login credentials (including TOTP). In some cases, it could lead to the exploitation of passkey authentication.
The described technique is general and can be applied to browser extensions beyond password managers, meaning other extensions may also be vulnerable to this type of attack. In addition to describing several methods of this technique, I will also recommend mitigations for developers to protect their extensions against this vulnerability.
Presenters:
-
Marek Tóth
Marek Tóth is a security researcher from the Czech Republic specializing in web application security. In his free time, he conducts independent research or reports critical vulnerabilities that could be exploited by attackers, with a recent focus on Czech companies. He shares interesting findings on his personal website, youtube channel or presents them at conferences, primarily at OWASP Chapter meetups.
Similar Presentations: