Skip to content
  • There are no suggestions because the search field is empty.

Preventing Clickjacking Attacks on the Browser Extension Settings Page

Overview

Clickjacking is a type of security attack where a malicious website tricks someone into clicking or typing into something that isn’t what it appears to be. The attacker hides or disguises a real interface element so users unknowingly interact with it.

For browser extensions, this risk is especially serious when sensitive pages, such as settings or password screens can be displayed inside another website.

To protect users, our browser extension does not allow its Settings page to be embedded or displayed inside any other website. This prevents attackers from tricking users into entering sensitive information, such as their master password.

What Was the Risk?

We identified a scenario where an attacker could:

  • Embed the extension’s Settings page inside a hidden or disguised frame on a malicious website

  • Visually cover or manipulate the page so it looks like part of the attacker’s site

  • Trick users into interacting with the Settings screen, including entering their master password

  • Capture sensitive information through deceptive visual placement or interaction tricks

This type of attack does not require installing malware. It relies entirely on visual deception and social engineering, which makes it difficult for users to recognize.

Why This Is Important

If this issue were not addressed, attackers could potentially:

  • Steal a user’s master password

  • Gain unauthorized access to protected data

  • Erode trust in the security of the extension

Because the Settings page controls highly sensitive actions, allowing it to be embedded would pose a serious security risk.

How We Protect You

To prevent this kind of attack, we added strong protections that ensure the Settings page can only be opened in a safe, trusted way.

What We Do

The Settings page cannot be embedded

  • If the page detects that it is being loaded inside another website or frame, it will not display.

Only the extension itself can open the Settings page

  • The page can only be accessed directly from the extension.

  • No website, malicious or legitimate, can embed or display it.

No impact on normal use

  • You can still open and use the Settings page as usual.

  • These protections work quietly in the background and do not change normal functionality.

What This Means for You

These protections ensure that:

  • You only enter your master password in a secure, trusted extension environment

  • Malicious websites cannot fake or manipulate the extension’s interface

  • Your data remains protected by clear boundaries between websites and the extension

Preventing clickjacking is an important part of keeping your information safe, especially for tools that manage passwords or sensitive settings.

Summary

By blocking the embedding of the Browser Extension’s Settings page, we prevent an entire category of clickjacking and interface-spoofing attacks. This helps protect your credentials while keeping the extension secure and easy to use.

If you have questions about how we protect your data, our support team is happy to help.