In short, the Proton Pass browser app is no longer vulnerable to reported clickjacking attacks. We were alerted to this vulnerability by a report by cybersecurity researcher Marek Tóth given at DEF CON 33.

Tóth gave a presentation about an new type of clickjacking attack that he had discovered. He explained how the attack worked, and how the data in your password manager browser app could be vulnerable to it. Proton Pass was one of the examples used in his presentation and Tóth successfully carried out a clickjacking attack on his own browser app. We’ve addressed this vulnerability with the rollout of version 1.31.6 of the Proton Pass, and would strongly recommend updating your Proton Pass web app if you haven’t already.

What is a clickjacking attack?

As defined by the Open Worldwide Application Security Project (OWASP), a clickjacking attack(yeni pencere) can be defined as the following:

“Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.”

In his report, Tóth identified that “many bug bounty programs have this vulnerability listed in the “out of scope” section, and in better cases they accept it but don’t reward it.” Clickjacking threats aren’t considered to be a threat to most businesses these days because protections against it are common.

However, Tóth was able to develop a new clickjacking attack technique with multiple attack variants. He describes the process as creating “a malicious script manipulates UI elements that browser extensions inject into the DOM by making them invisible using JavaScript.” He then tested this new attack type on 11 password managers that can be used as browser extensions, including Proton Pass. All 11 password managers were found to be vulnerable to Tóth’s DOM-based extension clickjacking attack.

You can find out the details of how Tóth carried out his testing in the full report(yeni pencere).

Is Proton Pass secure to use?

In version 1.31.6 of the Proton Pass app, we released a fix to prevent this attack being effective. The relevant extension elements and overlay have been addressed, and we’ve also added Tóth to our list of Security Contributors for his contributions to our security research.

We invite security experts to test all of our Proton apps through our bug bounty program, and third-party cybersecurity firms carry out audits of our code regularly to ensure that all of the claims we make about our products are true.

What should I do to protect myself?

In his report, Tóth makes recommendations about actions you can take to protect yourself against clickjacking attacks as well as other types of cyberattack. We also recommend taking the following actions:

  • Check that you have automatic updates enabled. Running the most recent version of Proton Pass helps you stay secure against day 0 vulnerabilities
  • Consider disabling manual autofill and using copy and paste only. Proton Pass allows you to autofill your passwords using two clicks in order to give you time to assess whether a website is secure for yourself, but you can also opt not to use autofill if you’d prefer to reduce risk.

Proton has received a ISO 27001 certification to prove that we’re a transparent and secure organization. Everything you store in your vaults is protected by end-to-end encryption to ensure that your privacy is upheld and no-one but you can access your data. However, we always recommend being cautious and making sure that you’re creating strong, varied passwords and protecting yourself against phishing and malware with hide-my-email aliases.