A recent study has uncovered that many popular password managers are at risk of clickjacking attacks, potentially exposing sensitive user data.
Discovery of the Vulnerability
Cybersecurity researcher Marek Tóth analyzed nearly a dozen widely used password managers and found all of them susceptible to clickjacking. His findings were first presented at the DEF CON conference earlier this month and later expanded in a detailed blog post.
The research focused on the browser extensions of well-known password managers, including:
1Password, Bitwarden, Dashlane, Enpass, Keeper, LastPass, LogMeOnce, NordPass, ProtonPass, RoboForm, and Apple’s iCloud Passwords.
Together, these extensions account for nearly 40 million active installations, according to data from the Chrome, Edge, and Firefox extension repositories.
How Clickjacking Works
Clickjacking is a long-standing web attack technique where an attacker tricks a victim into interacting with hidden or disguised elements on a webpage. By overlaying invisible buttons or input fields on top of legitimate-looking content, attackers can manipulate user actions.
In this case, Tóth demonstrated how DOM-based extension clickjacking, combined with the autofill features of password managers, could be leveraged to steal highly sensitive data, such as:
- Personal details
- Usernames and passwords
- Passkeys
- Payment card information
His tests revealed that these attacks could require as little as one click from the victim to succeed, especially when combined with XSS or other vulnerabilities.
Technical Insight
The Document Object Model (DOM)—a tree-like structure that browsers create when rendering HTML or XML pages—was at the center of the exploit. Browser extensions inject UI elements into the DOM, and malicious scripts can make these elements invisible, tricking users into unintentionally activating them.
Vendor Responses
Some vendors have already issued patches. However, several remain exposed, including Bitwarden, 1Password, iCloud Passwords, Enpass, LastPass, and LogMeOnce.
- Bitwarden announced that a fix is being rolled out in version 2025.8.0.
- LogMeOnce confirmed awareness of the issue and is actively working on a patch.
- 1Password emphasized that clickjacking is a broader browser issue, not one that password managers can fully resolve. Instead, they are focusing on enhanced user control, such as requiring confirmation before autofill actions.
- LastPass explained that it has already implemented safeguards like pop-up confirmations before autofilling sensitive data and is exploring additional protections.
The Bigger Picture
According to security experts, this research highlights a persistent challenge: balancing security, convenience, and user experience. While autofill features offer speed and ease, they also introduce new attack vectors.
Both 1Password and LastPass stressed the importance of keeping extensions updated, staying alert to suspicious overlays, and giving users more visibility into when autofill is triggered.
✅ Key Takeaway for Security Leaders:
Even trusted tools like password managers can be vulnerable. Organizations and individuals should:
- Keep browser extensions updated.
- Enable confirmation alerts where available.
- Educate users about clickjacking risks.
In the evolving threat landscape, awareness and layered defenses remain essential for protecting sensitive credentials and digital identities.
Source: https://www.securityweek.com/password-managers-vulnerable-to-data-theft-via-clickjacking