- Several widely used browser password manager extensions are vulnerable to a new clickjacking attack.
- The weakness could allow attackers to steal logins, two-factor authentication codes, and credit card data.
- The flaw impacts major products, including 1Password, iCloud Passwords, Bitwarden, Enpass, LastPass, and LogMeOnce.
- Some vendors have not released patches; users are advised to turn off auto-fill features as a precaution.
- The attack method exploits invisible browser extension prompts via the Document Object Model (DOM).
Security researcher Marek Tóth revealed on August 20, 2025, that multiple major password manager browser extensions are vulnerable to a newly discovered type of clickjacking attack. The findings were presented at the DEF CON 33 conference earlier in August and affect millions of users worldwide.
Tóth explained that the attack method, called Document Object Model (DOM)-based extension clickjacking, allows an attacker to steal sensitive information like login credentials, two-factor authentication (2FA) codes, and payment card data. According to Tóth, “A single click anywhere on an attacker-controlled website could allow attackers to steal users’ data (credit card details, personal data, login credentials, including TOTP).”
The issue targets the way password manager extensions auto-fill forms in web pages. Attackers can use malicious code to make these auto-fill prompts invisible by setting their opacity to zero in the DOM, which is a framework browsers use to organize the content and elements of web pages. When a user interacts with a fake pop-up on a malicious site, this action can trigger the password manager to auto-fill hidden fields, sending data like passwords or 2FA codes directly to an attacker’s remote server.
Tóth found the vulnerability in 11 popular password manager add-ons, including 1Password, iCloud Passwords, Bitwarden, Enpass, LastPass, and LogMeOnce. He noted, “All password managers filled credentials not only to the ‘main’ domain, but also to all subdomains. An attacker could easily find XSS or other vulnerabilities and steal the user’s stored credentials with a single click (10 out of 11), including TOTP (9 out of 11).”
According to security firm Socket, some password managers, such as Bitwarden, Enpass, and iCloud Passwords, are working on fixes. Others, including 1Password and LastPass, labeled the reports as informative but have not yet released patches. The vulnerability has been reported to US-CERT for official tracking.
Users are urged to disable the auto-fill function in their password managers until updates are available. Tóth recommends, “For Chromium-based browser users, it is recommended to configure site access to ‘on click’ in extension settings. This configuration allows users to manually control auto-fill functionality.” More details on this attack are available on the researcher’s blog and in Socket’s independent review.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Tesla Stock Slides as SpaceX Setbacks Stir Investor Concerns
- UK Sanctions Russian Crypto Networks, Kyrgyz Bank Over Evasion
- Chainlink’s LINK Surges 8% as Crypto Recovers, Outperforming BTC
- Radix Season 0 Rewards Act as Bonus, Unlocked by Season 1 Activity
- Cardano (ADA) Suffers 8.6% Daily Drop, Eyes Rebound to $1.36
