MetaMask browser extension wallet Clickjacking vulnerability analysis

Background overview

On June 3, 2022, MetaMask (MM) disclosed a serious clickjacking vulnerability discovered by white hats. The impact of this vulnerability is: when the user's MM plugin wallet is unlocked and the user visits a malicious site, the site can Use the iframe tag to embed the unlocked MM plugin wallet page into the web page and hide it, and then guide the user to click on the website. related assets. In view of the large number of users of MM, and the projects of Fork MetaMask plug-in wallets are relatively large, after MM disclosed this vulnerability, we immediately began to reproduce this vulnerability, and then began to search for the impact of this vulnerability on other Fork MetaMask projects .

Subsequently, the SlowMist security team notified the affected project parties as much as possible and guided the project parties to make repairs. Now the analysis of this clickjacking vulnerability is made public to avoid pitfalls in subsequent projects.

Vulnerability Analysis

Since MM did not give a detailed explanation when publishing this Clickjacking vulnerability, it only explained the exploitation scenario of this vulnerability and the harm it can cause, so I also encountered a lot of pits when I reproduced it (various blind guessing vulnerabilities). point), so in order for everyone to understand the entire vulnerability better and smoothly, I will add the next knowledge point before conducting the vulnerability analysis.

Let's take a look at Manifest - Web Accessible Resources. There is such a configuration in the browser extension wallet: web_accessible_resources, which is used to restrict which resources of the browser extension can be accessed by the web page, and by default, the web page cannot access the resource files in the browser extension, only The browser extension itself can access the resources of the browser extension. In short, pages under protocols such as http/https cannot access chrome-extension by default. Of course, if the extension wallet is configured with web_accessible_resources to expose the resources inside the extension wallet, it can be accessed by protocols such as http/https. page visited.

The MM extended wallet version before 10.14.6 (this article uses 10.14.5 as an example) has always retained the configuration of "web_accessible_resources": ["inpage.js", "phishing.html"], and this configuration is the vulnerability that can be exploited a key point of use.


However, during the vulnerability analysis, it was found that in app/scripts/phishing-detect.js (v10.14.5), the phishing page jump has been restricted by the protocol. (The limitation here is that there are other pits in my understanding. After all, the "web_accessible_resources": ["inpage.js", "phishing.html"]` configuration is still retained).


We continued to follow up on the change time of this protocol restriction and found that this restriction was added in the following commit, which means that before v10.14.1, there was no restriction on the jumping protocol, so the Clickjacking vulnerability could be easily exploited.

Related commits:


In order to verify the analysis process of the code, we switched to the version v10.14.0 before the protocol restriction for testing, and found that the entire attack process can be easily reproduced.


However, it is also mentioned in the MM public report that the Clickjacking vulnerability was fixed in v10.14.6, so v10.14.5 is vulnerable, and then continue to look back at the conjecture here. (The limitation here is that there are other pits in my understanding. After all, the "web_accessible_resources": ["inpage.js", "phishing.html"] configuration is still retained).


Analysis conclusion

In the above analysis process, in fact, MM recently fixed two clickjacking vulnerabilities. During the reproduction process, it was found that the latest v10.14.6 has removed the relevant configuration of web_accessible_resources, and completely repaired the clickjacking problem of the MetaMask Phishing Detection page. .

(1) Repair of using Clickjacking vulnerability to induce users to transfer money (Affected version: <= v10.14.0):

(2) The fix for adding phishing websites to the whitelist using the Clickjacking vulnerability (affecting version: <= v10.14.5):

About Us

DPTech is co-founded by several senior European and American security experts, and a core security R&D team with international first-line talents is committed to improving the overall security, privacy and usability of the blockchain ecosystem. By publishing industry trend reports and real-time monitoring of ecological security risks, it provides customers with visual solutions that meet international advanced security technology standards, and strengthens network security monitoring, early warning and defense capabilities. After years of accumulation of blockchain experience, DPTech has been recognized by dozens of well-known exchanges around the world.