kyranjamie
commented
3 years ago In exploring this, we discovered the clickjacking attack is not possible with addition of the frame-ancestors CSP directive.
An interesting learning for me here is that this directive does not inherit the value of default-src.
Location chrome-extension://ffmccdpbokklglpamkcddkcaghgbpgni/index.html#/settings/secret-key
Synopsis The Blockstack Stacks Wallet Extension is vulnerable to a Clickjacking attack, that when combined with a malicious page monitoring the navigator.clipboard object can lead to the exposure of a user’s secret key phrase when they are logged into the wallet.
Impact An attacker can use the secret key phrase to initialize a different extension and take control of all the assets in the wallet.
Preconditions The victim must be logged into the Wallet while visiting a malicious page. If the victim clicks on a malicious item in the page, the Copy to Clipboard button will be triggered and then the secret key phrase will be available to the attacker in the navigator.clipboard object.
Feasibility The attack is easy to create although the user would need to visit the malicious site and perform a single action. Given an attacker is highly incentivized, they would be motivated to reach as many potential victims as possible.
Technical Details The Copy to Clipboard button will store the secret key phrase in plaintext in the navigator.clipboard object. A malicious site can run a function that checks the contents of this object periodically, and if it recognizes a valid key phrase, can then exfiltrate the key phrase to a remote location without the victim being aware. The Clickjacking attack facilitates getting the key phrase into the clipboard, and so while it can be considered a stage in the attack, mitigating Clickjacking attacks will not solve the problem of the key phrase being stored in the navigator.clipboard object.
Mitigation Protection against Clickjacking attacks is traditionally done by utilizing the X-Frame-Options HTTP Header. Since the extension pages are not loaded from an HTTP server, research should be done to see how this would be possible to implement in the context of a browser extension. Content-Security Policies that prevent framing resources would be a possible solution.
To protect against the clipboard attack, it would be best to prevent the key phrase from ever being accessible to the clipboard available to the browser. One solution is to disable selection of the text and force users to download a file. Another option would be to investigate if the clipboard object can be disabled for that page entirely. This latter option might prove tricky as users will want to be able to copy and paste addresses.