Summary:
Researchers discovered an existing security vulnerability by the title of DOM-based extension clickjacking, that attacks browser extensions like password managers. The method of attack attempts to make users interact with a web page's hidden parts unwittingly. This provides attackers with extension-sensitive data like logged passwords without users' knowledge. This attack relies on browser DOM manipulation in an attempt to load malicious content at the expense of legitimate content to trick the user into thinking that he or she clicks on something innocuous, but gains the attacker a way in.

Security Officer Comments:
This is important because extensions in browsers, especially password managers, hold some of the most intimate information users have. When the attacker can bypass these extensions, they are able to pilfer credentials and get access to multiple accounts at once. What makes this issue more vexing is that it is not so much an extension vulnerability as it is the exploitation of the browser and DOM. That leads many potential users to downplay the risk, even where the risks can be profoundly serious.

Suggested Corrections:

• Users should keep browser extensions up to date and only install extensions from trusted sources.
• Developers of extensions should implement safeguards such as frame-busting code, strict content security policies (CSP), and permissions hardening to prevent unauthorized interaction with the extension’s UI.
• Organizations can also encourage users to use standalone password manager apps instead of browser extensions when possible, as this reduces the attack surface.

Link(s):
https://marektoth.com/blog/dom-based-extension-clickjacking/