Redazione RHC : 28 August 2025 17:56
A security expert has discovered that six of the most popular password managers, used by tens of millions of people, are vulnerable to clickjacking, a phenomenon that allows attackers to steal login credentials, two-factor authentication codes, and credit card information.
The issue was first reported by independent researcher Marek Tóth, who presented a vulnerability report at the recent DEF CON 33 hacker conference. His findings were later confirmed by Socket experts, who contributed to inform affected vendors and coordinate public disclosure of vulnerabilities.
He tested his attack on specific variants of 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass and LogMeOnce and found that all versions of the browser could Leak sensitive data in certain scenarios.
Attackers can exploit vulnerabilities when victims visit malicious pages or sites vulnerable to XSS attacks or cache poisoning. As a result, attackers are able to overlay invisible HTML elements on the password manager interface. The user will think they are interacting with harmless clickable elements on the page, but in reality, they will trigger autofill, which will “leak” their sensitive information to hackers.
The attack relies on running a script on a malicious or compromised website. This script uses transparency settings, overlays, or pointer events to hide the browser’s password manager autofill drop-down menu. At the same time, the attacker overlays fake and annoying elements on the page (such as cookie banners, pop-ups, or CAPTCHAs). However, clicks on these elements lead to hidden password manager controls, leading to forms filled with sensitive information.
It has demonstrated several DOM subtypes and exploits of the same bug: direct DOM element opacity manipulation, root element opacity manipulation, parent element opacity manipulation, and partial or complete overlay.
The researcher also demonstrated a method in which the user interface follows the mouse cursor, so any click from anywhere triggers automatic data filling. At the same time, Toth emphasized that the malicious script can automatically detect the password manager active in the victim’s browser and thus tailor the attack to a specific target in real time.
Subsequently, the researcher tested 11 password managers for clickjacking vulnerabilities and found that all were vulnerable to at least one of the attack methods. Although Toth had informed all vendors of the issues as early as April 2025 and also warned them that public disclosure of the vulnerabilities was planned for DEF CON 33, there was no immediate response. Last week, Socket contacted developers again to reiterate the need to assign CVEs to the issues in the affected products.
1Password representatives called the researcher’s report “informative,” arguing that clickjacking is a common threat that users should essentially protect themselves from. LastPass developers also found the report “informative,” and Bitwarden acknowledged the issues, and while the company didn’t consider them serious, fixes were implemented in version 2025.8.0, released last week. The following password managers, which collectively have approximately 40 million users, are currently vulnerable to clickjacking attacks:
The patches have already been implemented in their products: Dashlane (v6.2531.1 released on August 1), NordPass, ProtonPass, RoboForm, and Keeper (17.2.0 released in July). Users are now advised to ensure they have the latest available versions of these products installed.
Redazione