If you use iCloud Passwords on Chrome or Firefox, your data may be at risk
If you use Firefox on a Mac or PC, Apple offers a practical browser extension that puts your iCloud passwords at hand without having to open a separate application. However, a new warning could make you think twice before using it next time.
As reported by The Hacker News, a new vulnerability of the document object model was discovered by the safety researcher Marek Tóth which could allow attackers to steal user credit card details, personal data and connection identification information thanks to so-called jacking or the repair of the user interface. As the researchers explain, the click rattling “refers to a type of attack in which users are led to carry out a series of actions on a website which seem ostensibly harmless, as click on the buttons, while in reality, they inadvertently perform the auctions of the attacker.”
Although some faults have been corrected, several popular password management extensions are at risk, including 1PASSWORD, LASTPASS and ICLOUD. With iCloud passwords, researchers specifically indicate version 3.1.25, which Firefox uses. Chrome uses a more recent version, 3.1.27, although it seems that the defect still exists.
To access an account, an attacker should create a false site with a contextual window with “an invisible connection form so that click on the site to close the context window causes automatic remuneration of information and exfiltrated on a remote server.” Thus, when the user tries to close the window, the identification information is automatically filled.
Earlier this year, a flaw in Apple’s password application was revealed that could allow an attacker to intercept sensitive data via unsecured HTTP traffic. Apple has corrected this vulnerability in iOS 18.2.
Tóth says that Apple works on a solution for the defect, while 1Password and Lastpass are still investigating. Bitwarden, who was also affected by the defect, published an update to solve the problem last week. But if you use these extensions on a Mac or PC, make sure that the site you use is confident.
