Basic Information

This page is going to abuse a ClickJacking vulnerability in a Browser extension. If you don't know what ClickJacking is check:

Extensions contains the file manifest.json and that JSON file has a field web_accessible_resources. Here's what the Chrome docs say about it:

These resources would then be available in a webpage via the URL chrome-extension://[PACKAGE ID]/[PATH], which can be generated with the extension.getURL method. Allowlisted resources are served with appropriate CORS headers, so they're available via mechanisms like XHR.1

The web_accessible_resources in a browser extension are not just accessible via the web; they also operate with the extension's inherent privileges. This means they have the capability to:

• Change the extension's state

• Load additional resources

• Interact with the browser to a certain extent

However, this feature presents a security risk. If a resource within web_accessible_resources has any significant functionality, an attacker could potentially embed this resource into an external web page. Unsuspecting users visiting this page might inadvertently activate this embedded resource. Such activation could lead to unintended consequences, depending on the permissions and capabilities of the extension's resources.

PrivacyBadger Example

In the extension PrivacyBadger, a vulnerability was identified related to the skin/ directory being declared as web_accessible_resources in the following manner (Check the original blog post):

"web_accessible_resources": [
  "skin/*",
  "icons/*"
]

This configuration led to a potential security issue. Specifically, the skin/popup.html file, which is rendered upon interaction with the PrivacyBadger icon in the browser, could be embedded within an iframe. This embedding could be exploited to deceive users into inadvertently clicking on "Disable PrivacyBadger for this Website". Such an action would compromise the user's privacy by disabling the PrivacyBadger protection and potentially subjecting the user to increased tracking. A visual demonstration of this exploit can be viewed in a ClickJacking video example provided at https://blog.lizzie.io/clickjacking-privacy-badger/badger-fade.webm.

To address this vulnerability, a straightforward solution was implemented: the removal of /skin/* from the list of web_accessible_resources. This change effectively mitigated the risk by ensuring that the content of the skin/ directory could not be accessed or manipulated through web-accessible resources.

The fix was easy: remove /skin/* from the web_accessible_resources.

PoC

<!--https://blog.lizzie.io/clickjacking-privacy-badger.html-->

<style>
iframe {
    width: 430px;
    height: 300px;
    opacity: 0.01;
    float: top;
    position: absolute;
}

#stuff {
    float: top;
    position: absolute;
}

button {
    float: top;
    position: absolute;
    top: 168px;
    left: 100px;
}

</style>

<div id="stuff">
    <h1>
    Click the button
    </h1>
    <button id="button">
      click me
    </button>
</div>

<iframe src="chrome-extension://ablpimhddhnaldgkfbpafchflffallca/skin/popup.html">
</iframe>

Metamask Example

A blog post about a ClickJacking in metamask can be found here. In this case, Metamask fixed the vulnerability by checking that the protocol used to access it was https: or http: (not chrome: for example):

Another ClickJacking fixed in the Metamask extension was that users were able to Click to whitelist when a page was suspicious of being phishing because of “web_accessible_resources”: [“inpage.js”, “phishing.html”]. As that page was vulnerable to Clickjacking, an attacker could abuse it showing something normal to make the victim click to whitelist it without noticing, and then going back to the phishing page which will be whitelisted.

Steam Inventory Helper Example

Check the following page to check how a XSS in a browser extension was chained with a ClickJacking vulnerability:

References

• https://blog.lizzie.io/clickjacking-privacy-badger.html

• https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9