A recent study by researcher Marek Tóth revealed that nearly a dozen popular password managers are vulnerable to clickjacking attacks, which could expose sensitive user data. Tóth presented his findings at DEF CON and later published a detailed blog post.
The study focused on browser extensions for 1Password, Bitwarden, Dashlane, Enpass, Keeper, LastPass, LogMeOnce, NordPass, ProtonPass, RoboForm, and Apple’s iCloud Passwords. These extensions have nearly 40 million active installations across Chrome, Edge, and Firefox.
Clickjacking involves tricking users into clicking hidden, malicious elements layered over legitimate ones. Tóth demonstrated how attackers could exploit the autofill feature and DOM manipulation to steal usernames, passwords, passkeys, and payment details. Some attacks required just one click, often leveraging XSS or similar vulnerabilities.
The DOM (Document Object Model) allows scripts to modify web pages dynamically. Tóth’s method uses invisible elements injected by extensions, manipulated through JavaScript.
While some vendors have issued patches, Bitwarden, 1Password, iCloud Passwords, Enpass, LastPass, and LogMeOnce have yet to release fixes. Bitwarden plans to roll out an update in version 2025.8.0, and LogMeOnce is actively working on a solution.
1Password’s CISO Jacob DePriest emphasized that clickjacking is a widespread issue rooted in browser behavior. He noted that 1Password already requires user confirmation before autofilling payment data and will expand this feature to other types of information.
Alex Cox from LastPass acknowledged the challenge of balancing security with user experience. LastPass has added safeguards like pop-up alerts before autofilling sensitive data and continues to explore further protections. He advised users to stay cautious and keep their extensions updated.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
