Security Now Podcast 1040: “Clickjacking Whac-A-Mole”

Date: August 27, 2025

Hosts: Steve Gibson & Leo Laporte

Episode Overview

This episode tackles the recently hyped “browser 0day clickjacking” affecting password managers, exploring why such attacks are both perennial and (to a degree) unavoidable. Steve and Leo also dive into watershed moments in tech law: Germany’s potential ad blocker ban, AI copyright battles, and age verification’s impact on services like Bluesky. The episode is framed as one rich with both security nuance and current event analysis, making it essential listening for security professionals and privacy-minded users.

Main Theme: The Inherent Whack-a-Mole of Browser Clickjacking

Steve Gibson addresses the “clickjacking frenzy” around password managers, cutting through the hype to explain the real technical limitations and user tradeoffs involved. The conversation builds on how evolving browser complexity leaves some attack surfaces unsolvable — and why this isn’t cause for panic.

Key Discussion Points & Insights

1. Browser Clickjacking Concerns in Password Managers

Background: Recent DEF CON 33 presentation by Czech researcher Marek Tóth described DOM-based clickjacking attacks capable of harvesting sensitive info via password managers’ browser extensions.
Affected Managers: Bitwarden, 1Password, LastPass, NordPass, ProtonPass, Roboform, Keeper, Dashlane, iCloud Keychain – all widely discussed.
Steve’s Core Analysis:
- “Web browser based vulnerabilities which involve causing a user's click to do something other than they expect…are more or less innate and intrinsic and are difficult if not impossible to prevent as long as we have browsers from which we ask and expect so much.” (136:36)
- Password managers’ browser extensions exist within and share the same visual space as webpages—making some degree of clickjacking forever possible.
- The “all your passwords are at risk” narrative is overhyped; most practical attacks can only steal one credential per click.
Vendor Response:
- 1Password and Bitwarden responded with patches—primarily “security theater” to reassure users—and acknowledged the impossibility of fully solving the issue without draining usability.
- “The only way to mitigate the vulnerabilities fully would be to implement a dialog pop up to prompt the user before every single auto filling everywhere. 1Password used to do that, but their users voted that down.” (160:53)
Takeaway: The balance between security and usability shapes every decision; clickjacking is the ultimate whack-a-mole where no final victory is possible.
- “There’s probably no more clear example of the conscious decision being made between usability and security than this one. Usability 1. And while the security may not be absolute, absolute security is really not available within today’s browser environment... That’s just the way it is.” (160:53)

2. Germany’s Supreme Court and the Future of Ad Blockers (13:00)

Issue: Axel Springer’s lawsuit claims browser-side adblockers infringe on website “program code” copyright.
Legal Outcome: Lower court decision against Springer was overturned by Germany’s Supreme Court, reviving the ban’s prospects.
Implications:
- Potential ripple effect—extensions that modify DOM for accessibility, privacy, or tracking prevention might also be threatened.
- Could force browser vendors and extension developers to cripple features, limiting user choice (“dangerous chilling effect”).
Bigger Picture:
- “Imagine what it would mean if all control is taken away from end Users and any modification to a browser’s default generic behavior that might threaten the revenue of any constituent of a browser’s page delivery were to become outlawed.” (16:06)
- The real disruption is AI: “AI presents its users with exactly what they want, which is completely ad free content... There’s never been what is effectively a more powerful ad blocker than AI.” (22:02)

3. AI, Copyright, and a Coming Schism (28:03)

Ongoing Lawsuits: Enumerated major cases (e.g., Advanced Local Media vs. Cohere, Getty vs. Stability AI, OpenAI copyright litigation), illustrating the breadth of legal uncertainty.
Key Point: Whether AI model scraping constitutes “fair use” or not will reshape both the publishing and technology landscape; Supreme Court decision likely.
Steve’s Outlook: “If AI’s use is determined to be not fair, meaning infringing, the major AI vendors will…need to pick and choose among sources for their training data, creating an entirely new information economy.” (28:03)
Leo’s Warning: “We’re going to have a, almost a rift, a schism between people who support AI and people who are against AI. I’m already seeing that happen.” (31:36)

4. Age Verification Laws’ Surreal Consequences: BlueSky in Mississippi (49:46)

Action: BlueSky halted service in Mississippi after House Bill 1126 (Walker Montgomery Protecting Children Online Act) forced platforms to verify all users’ ages.
Reasoning: The cost/complexity of compliance (real identity, parental consent, perpetual data retention) would crush small providers.
- “Unlike tech giants with vast resources, we’re a small team… Age verification systems require substantial infrastructure and developer time investments... that can easily overwhelm smaller providers.” (49:46)
Broader Impact: Laws like this entrench large incumbents, threaten privacy, and create barriers to innovation—likely harbingers of similar disruption in other jurisdictions.
Technical Note: The ongoing lack of universally-accepted, privacy-preserving age attestation infrastructure is a major friction point.

5. Listener Q&A and Advanced Backup Advice (108:00 and beyond)

Backup Strategies:
- Discussion of syncthing (“optimal solution with control over two or more PCs”) and future plans for client-side-encrypted off-site backups.
- Sync.com recommended for “trust less” encrypted cloud storage: “Not like these are unique to sync.com, I just like them … they have a ton of features.” (112:11)
A Fun Twist on AI Use: A listener describes using ChatGPT to generate and maintain a personalized recipe cookbook based on ingredients at hand, with cumulative tracking and PDF export—illustrating AI’s unexpected everyday utility. (126:13)

6. Security News Roundup

Huge Bounties for Exploits: UAE startup offering $20M for phone-hacking tools, highlighting the darker side of software vulnerabilities and the bug bounty arms race. (9:33)
Microsoft 365’s New Email Throttling: 100 email/day limit for new tenants, to fight onmicrosoft.com spam and reputation damage. (42:02)
Russia vs Google Meet: Block testing apparently underway—a move that makes Russian businesses less efficient and globally competitive. (48:31)
Linux Desktop Malware Rising: Targeted attacks (APT36)—as Linux gains ground in government/enterprise, attackers follow.
Apple Zero-Click Vulnerability: Critical vulnerability in image rendering (DNG decompressor, CVE-2025-43300), patched across iOS and macOS. “No user interaction required. Full silent compromise courtesy of just receiving a single malicious image file.” (91:50)
Docker Escape: Unauthenticated Docker Desktop API on Windows/Mac allowed any container to take over the host drive. “[It] was a simple oversight… Unauthenticated APIs are a critical risk.” (92:49)

Notable Moments & Quotes

On Clickjacking: “Clickjacking does not expose all your 1Password data or export all your vault contents, and no web page can directly access your information without interaction with the browser’s extension autofill element. At most, a malicious or compromised web page could trick you into auto filling one matching item per click. Not everything in your account.” — 1Password response (137:17)
Balancing Usability and Security: “There’s probably no more clear example of the conscious decision being made between usability and security than this one. Usability 1.” (160:53)
On Browsers’ Inherent Risk: “Browsing has been given an inherently impossible task to fulfill when…we also want to have all our most precious secrets present, readily accessible and automatically filled in… The gall to complain if an additional ‘are you sure?’ confirmation might be required.” (160:53)
On AI’s Disruption: “AI presents its users with exactly what they want…completely ad free content…AI’s answers are given by plumbing and ingesting only…the site’s non-advertising content.” (22:02)

Timestamps for Critical Segments

[13:00] – Germany’s Supreme Court & Adblockers
[22:02] – AI as the Ultimate Ad Blocker; Copyright lawsuits
[31:36] – Looming cultural schism over AI
[49:46] – Bluesky pulls out of Mississippi – Age verification fallout
[76:39] – Fun segment: AI prompt to overwhelm spam filters; “the diabolical query” (starts at 76:39)
[91:50] – Apple patches zero-click “doozy” vulnerability
[92:49] – Docker Desktop escape via SSRF
[136:17] – Browser clickjacking deep dive: technical breakdown, vendor responses

Conclusion: The Takeaway on Clickjacking "Whac-A-Mole"

Browser clickjacking is here to stay. Password manager browser extensions will always be partially at risk due to the shared environment of modern browsers. No technical fix can offer total protection without making these tools unusable. Choose your own balance—accept the small, persistent risks in exchange for the huge convenience password managers provide, and pay attention to site context when giving permission to autofill.

“The greater takeaway for us is that we as users of browser based password managers must soberly recognize and necessarily accept the inherent and fundamental impossibility of obtaining the level of security guarantee from our browser based password managers that we would all like to have. It ain't gonna happen.” — Steve Gibson (160:53)

Related Resources

Security Now with Steve Gibson airs Tuesdays at 4:30pm ET / 1:30pm PT / 20:30 UTC on TWiT.tv.

Summary curated by Security Now Podcast Summarizer AI – faithful to the hosts’ insight, tone, and community spirit.

Security Now Podcast 1040: “Clickjacking Whac-A-Mole”

Date: August 27, 2025

Hosts: Steve Gibson & Leo Laporte

Episode Overview

Main Theme: The Inherent Whack-a-Mole of Browser Clickjacking

Key Discussion Points & Insights

1. Browser Clickjacking Concerns in Password Managers

Background: Recent DEF CON 33 presentation by Czech researcher Marek Tóth described DOM-based clickjacking attacks capable of harvesting sensitive info via password managers’ browser extensions.
Affected Managers: Bitwarden, 1Password, LastPass, NordPass, ProtonPass, Roboform, Keeper, Dashlane, iCloud Keychain – all widely discussed.
Steve’s Core Analysis:
- “Web browser based vulnerabilities which involve causing a user's click to do something other than they expect…are more or less innate and intrinsic and are difficult if not impossible to prevent as long as we have browsers from which we ask and expect so much.” (136:36)
- Password managers’ browser extensions exist within and share the same visual space as webpages—making some degree of clickjacking forever possible.
- The “all your passwords are at risk” narrative is overhyped; most practical attacks can only steal one credential per click.
Vendor Response:
- 1Password and Bitwarden responded with patches—primarily “security theater” to reassure users—and acknowledged the impossibility of fully solving the issue without draining usability.
- “The only way to mitigate the vulnerabilities fully would be to implement a dialog pop up to prompt the user before every single auto filling everywhere. 1Password used to do that, but their users voted that down.” (160:53)
Takeaway: The balance between security and usability shapes every decision; clickjacking is the ultimate whack-a-mole where no final victory is possible.
- “There’s probably no more clear example of the conscious decision being made between usability and security than this one. Usability 1. And while the security may not be absolute, absolute security is really not available within today’s browser environment... That’s just the way it is.” (160:53)

2. Germany’s Supreme Court and the Future of Ad Blockers (13:00)

Issue: Axel Springer’s lawsuit claims browser-side adblockers infringe on website “program code” copyright.
Legal Outcome: Lower court decision against Springer was overturned by Germany’s Supreme Court, reviving the ban’s prospects.
Implications:
- Potential ripple effect—extensions that modify DOM for accessibility, privacy, or tracking prevention might also be threatened.
- Could force browser vendors and extension developers to cripple features, limiting user choice (“dangerous chilling effect”).
Bigger Picture:
- “Imagine what it would mean if all control is taken away from end Users and any modification to a browser’s default generic behavior that might threaten the revenue of any constituent of a browser’s page delivery were to become outlawed.” (16:06)
- The real disruption is AI: “AI presents its users with exactly what they want, which is completely ad free content... There’s never been what is effectively a more powerful ad blocker than AI.” (22:02)

3. AI, Copyright, and a Coming Schism (28:03)

Ongoing Lawsuits: Enumerated major cases (e.g., Advanced Local Media vs. Cohere, Getty vs. Stability AI, OpenAI copyright litigation), illustrating the breadth of legal uncertainty.
Key Point: Whether AI model scraping constitutes “fair use” or not will reshape both the publishing and technology landscape; Supreme Court decision likely.
Steve’s Outlook: “If AI’s use is determined to be not fair, meaning infringing, the major AI vendors will…need to pick and choose among sources for their training data, creating an entirely new information economy.” (28:03)
Leo’s Warning: “We’re going to have a, almost a rift, a schism between people who support AI and people who are against AI. I’m already seeing that happen.” (31:36)

4. Age Verification Laws’ Surreal Consequences: BlueSky in Mississippi (49:46)

Action: BlueSky halted service in Mississippi after House Bill 1126 (Walker Montgomery Protecting Children Online Act) forced platforms to verify all users’ ages.
Reasoning: The cost/complexity of compliance (real identity, parental consent, perpetual data retention) would crush small providers.
- “Unlike tech giants with vast resources, we’re a small team… Age verification systems require substantial infrastructure and developer time investments... that can easily overwhelm smaller providers.” (49:46)
Broader Impact: Laws like this entrench large incumbents, threaten privacy, and create barriers to innovation—likely harbingers of similar disruption in other jurisdictions.
Technical Note: The ongoing lack of universally-accepted, privacy-preserving age attestation infrastructure is a major friction point.

5. Listener Q&A and Advanced Backup Advice (108:00 and beyond)

Backup Strategies:
- Discussion of syncthing (“optimal solution with control over two or more PCs”) and future plans for client-side-encrypted off-site backups.
- Sync.com recommended for “trust less” encrypted cloud storage: “Not like these are unique to sync.com, I just like them … they have a ton of features.” (112:11)
A Fun Twist on AI Use: A listener describes using ChatGPT to generate and maintain a personalized recipe cookbook based on ingredients at hand, with cumulative tracking and PDF export—illustrating AI’s unexpected everyday utility. (126:13)

6. Security News Roundup

Huge Bounties for Exploits: UAE startup offering $20M for phone-hacking tools, highlighting the darker side of software vulnerabilities and the bug bounty arms race. (9:33)
Microsoft 365’s New Email Throttling: 100 email/day limit for new tenants, to fight onmicrosoft.com spam and reputation damage. (42:02)
Russia vs Google Meet: Block testing apparently underway—a move that makes Russian businesses less efficient and globally competitive. (48:31)
Linux Desktop Malware Rising: Targeted attacks (APT36)—as Linux gains ground in government/enterprise, attackers follow.
Apple Zero-Click Vulnerability: Critical vulnerability in image rendering (DNG decompressor, CVE-2025-43300), patched across iOS and macOS. “No user interaction required. Full silent compromise courtesy of just receiving a single malicious image file.” (91:50)
Docker Escape: Unauthenticated Docker Desktop API on Windows/Mac allowed any container to take over the host drive. “[It] was a simple oversight… Unauthenticated APIs are a critical risk.” (92:49)

Notable Moments & Quotes

On Clickjacking: “Clickjacking does not expose all your 1Password data or export all your vault contents, and no web page can directly access your information without interaction with the browser’s extension autofill element. At most, a malicious or compromised web page could trick you into auto filling one matching item per click. Not everything in your account.” — 1Password response (137:17)
Balancing Usability and Security: “There’s probably no more clear example of the conscious decision being made between usability and security than this one. Usability 1.” (160:53)
On Browsers’ Inherent Risk: “Browsing has been given an inherently impossible task to fulfill when…we also want to have all our most precious secrets present, readily accessible and automatically filled in… The gall to complain if an additional ‘are you sure?’ confirmation might be required.” (160:53)
On AI’s Disruption: “AI presents its users with exactly what they want…completely ad free content…AI’s answers are given by plumbing and ingesting only…the site’s non-advertising content.” (22:02)

Timestamps for Critical Segments

[13:00] – Germany’s Supreme Court & Adblockers
[22:02] – AI as the Ultimate Ad Blocker; Copyright lawsuits
[31:36] – Looming cultural schism over AI
[49:46] – Bluesky pulls out of Mississippi – Age verification fallout
[76:39] – Fun segment: AI prompt to overwhelm spam filters; “the diabolical query” (starts at 76:39)
[91:50] – Apple patches zero-click “doozy” vulnerability
[92:49] – Docker Desktop escape via SSRF
[136:17] – Browser clickjacking deep dive: technical breakdown, vendor responses

Conclusion: The Takeaway on Clickjacking "Whac-A-Mole"

“The greater takeaway for us is that we as users of browser based password managers must soberly recognize and necessarily accept the inherent and fundamental impossibility of obtaining the level of security guarantee from our browser based password managers that we would all like to have. It ain't gonna happen.” — Steve Gibson (160:53)

Related Resources

Security Now with Steve Gibson airs Tuesdays at 4:30pm ET / 1:30pm PT / 20:30 UTC on TWiT.tv.

Summary curated by Security Now Podcast Summarizer AI – faithful to the hosts’ insight, tone, and community spirit.

wavePod

SN 1040: Clickjacking "Whac-A-Mole" - Inside the Password Manager Clickjacking Frenzy and What It Means

Summary

Security Now Podcast 1040: “Clickjacking Whac-A-Mole”

Date: August 27, 2025

Hosts: Steve Gibson & Leo Laporte

Episode Overview

Main Theme: The Inherent Whack-a-Mole of Browser Clickjacking

Key Discussion Points & Insights

1. Browser Clickjacking Concerns in Password Managers

2. Germany’s Supreme Court and the Future of Ad Blockers (13:00)

3. AI, Copyright, and a Coming Schism (28:03)

4. Age Verification Laws’ Surreal Consequences: BlueSky in Mississippi (49:46)

5. Listener Q&A and Advanced Backup Advice (108:00 and beyond)

6. Security News Roundup

Notable Moments & Quotes

Timestamps for Critical Segments

Conclusion: The Takeaway on Clickjacking "Whac-A-Mole"

Related Resources

Summary

Security Now Podcast 1040: “Clickjacking Whac-A-Mole”

Date: August 27, 2025

Hosts: Steve Gibson & Leo Laporte

Episode Overview

Main Theme: The Inherent Whack-a-Mole of Browser Clickjacking

Key Discussion Points & Insights

1. Browser Clickjacking Concerns in Password Managers

2. Germany’s Supreme Court and the Future of Ad Blockers (13:00)

3. AI, Copyright, and a Coming Schism (28:03)

4. Age Verification Laws’ Surreal Consequences: BlueSky in Mississippi (49:46)

5. Listener Q&A and Advanced Backup Advice (108:00 and beyond)

6. Security News Roundup

Notable Moments & Quotes

Timestamps for Critical Segments

Conclusion: The Takeaway on Clickjacking "Whac-A-Mole"

Related Resources