If you use Firefox on a Mac or PC, Apple offers a handy browser extension that places your iCloud passwords directly within reach without having to open a separate app. However, a new warning can make you think twice before using it next time.
As reported by The Hacker News, a new vulnerability for Document Object model has been discovered by security researcher Marek Tóth with which attackers can steal the credit card data, personal data and login details of users via so-called clickjacking or UI repair. As the researchers explain, Clickjacking “refers to a kind of attack in which users are misled to perform a series of actions on a website that seemingly imperative, such as clicking on buttons, when they actually unintentionally perform the attacker’s bids.”
Although some errors are patched, various popular extensions for password manager are in danger, including 1Password, LastPass and iCloud. With iCloud passwords, researchers specifically point to version 3.1.25, which Firefox uses. Chrome uses a newer version, 3.1.27, although it seems as if the error still exists.
To gain access to an account, an attacker should make a fake site with a pop-up with “an invisible login form so that clicks on the site to close the pop-up, the login details is automatically filled by the password manager and extracted to an external server.” So when the user tries to close the window, references are filled in automatically.
Earlier this year, an error in Apple’s passwords -app was unveiled with which an attacker could intercept sensitive data via unsecured HTTP traffic. Apple has patched that vulnerability in iOS 18.2.
Tóth says that Apple is working on a solution for the error, while 1Password and LastPass are still investigating. Bitwarden, which was also hit by the fault, released an update last week to tackle the problem. But if you use these extensions on a Mac or PC, make sure that the site you use is a trusted.
#iCloud #passwords #Chrome #Firefox #data #risk