A vulnerability has been discovered in many password manager extension:
https://marektoth.com/blog/dom-based-extension-clickjacking
What about Passbolt?
I don’t know if fix in 3.11.1 is enough.
1 Like
Thanks for raising this. We’re currently reviewing the research presented at DEFCON. The author did not contact us in advance, so we’re still in the process of evaluating the findings in detail.
After having a quick look, this class of issue is already known to us and not trivial to mitigate fully, while its practical impact is limited (e.g. it requires an attacker-controlled subdomain with XSS and the victim having valid credentials set to work on both the main domain and subdomain). That said, there are some areas where additional protections could strengthen security and be easy to implement (e.g. around CSS manipulations such as iframe opacity) .
Rest assured we are treating this topic seriously and will share an update in the coming days.
1 Like
I try with demo site, but as passbolt is on the right of the field and you need first clic on it before to chose the entry from the vault it’s not working and so not so trivial with hidden fields
We have completed an analysis of the recently disclosed clickjacking technique and confirm that Passbolt is affected. Mitigations are already in development and will be rolled out in the next extension releases.
Vulnerability analysis
This attack uses DOM and CSS manipulation so that a real user click lands on an extension interface without the user noticing. Exploitation requires the attacker to control the DOM on a trusted domain or subdomain, typically through XSS. It therefore amplifies an existing issue on the visited site rather than creating a standalone remote attack from arbitrary pages.
Limiting factors
Exploitation in Passbolt requires two user clicks. The suggested password is only shown after a click on the Passbolt call-to-action that appears in the browser input field, and a second click is needed to choose the credential.
The scope of data is limited. Passbolt only autofills passwords, not TOTP codes or other content types.
In addition, a password can only be suggested for a domain or subdomain that is already associated with that credential, which narrows exposure to the compromised origin.
Risk assessment
Because an attacker must already control a trusted domain or subdomain for which credentials were stored, we assess the overall risk for Passbolt as low. While password theft is possible in that scenario, an attacker with working XSS on the target application may already be able to act without needing autofill, and a password alone may not be sufficient where TOTP is required.
Plan of action
We are hardening the extension so the Passbolt interface cannot be tampered with and users do not interact with it unintentionally. In a later release, we plan to add policy controls so organizations can further tailor autofill behavior, including stricter origin matching and options to limit in-page integration.
Timeline: the first hardening set is queued for the next browser extension update (10th September), with additional controls to follow. We will update this topic with release notes when they ship.
4 Likes