If you use Firefox on a Mac or PC, Apple offers a handy browser extension that puts your iCloud passwords right at your fingertips without needing to open a separate app. However, a new warning might make you think twice before you use it next time.
As reported by The Hacker News, a new Document Object Model vulnerability has been discovered by security researcher Marek Tóth that could allow attackers to steal users’ credit card details, personal data, and login credentials through so-called clickjacking or UI redressing. As the researchers explain, clickjacking “refers to a type of attack in which users are tricked into performing a series of actions on a website that appear ostensibly harmless, such as clicking on buttons, when, in reality, they are inadvertently carrying out the attacker’s bidding.”
While some flaws have been patched, several popular password manager extensions are at risk, including 1Password, LastPass, and iCloud. With iCloud Passwords, researchers specifically point to version 3.1.25, which Firefox uses. Chrome uses a newer version, 3.1.27, though it appears as though the flaw still exists.
To gain access to an account, an attacker would need to create a fake site with a pop-up with “an invisible login form such that clicking on the site to close the pop-up causes the credential information to be auto-filled by the password manager and exfiltrated to a remote server.” So when the user attempts to close the window, credentials are automatically filled.
Earlier this year, a flaw in Apple’s Passwords app was revealed that could allow an attacker to intercept sensitive data via unsecured HTTP traffic. Apple patched that vulnerability in iOS 18.2.
Tóth says Apple is working on a fix for the flaw, while 1Password and LastPass are still investigating. Bitwarden, which was also affected by the flaw, released an update to address the issue last week. But if you’re using these extensions on a Mac or PC, make sure the site you’re using is a trusted one.
