Click Studios, the company behind the enterprise-grade password management tool Passwordstate has issued security updates to fix an authentication bypass vulnerability in its software.
This critical flaw, which has not yet received a CVE identifier, was resolved in Passwordstate version 9.9 (Build 9972), released on August 28, 2025.
The Australian firm stated that it addressed a "potential Authentication Bypass when using a carefully crafted URL against the core Passwordstate Products' Emergency Access page."
The latest release also includes enhanced defenses to protect users from possible clickjacking attacks targeting its browser extension. These measures are designed to reduce risks for users who may visit compromised websites.
These improvements appear to be a response to recent research by Marek Tóth. Earlier this month, Tóth described a method known as Document Object Model (DOM)-based extension clickjacking. He found that several browser extensions used by password managers are vulnerable to this technique. According to Tóth, "A single click anywhere on an attacker-controlled website could allow attackers to steal users' data (credit card details, personal data, login credentials, including TOTP)." He added that the method is broadly applicable to other types of browser extensions.
Click Studios reports that Passwordstate is used by 29,000 customers and 370,000 security and IT professionals. Its user base includes global enterprises, government bodies, financial institutions, and Fortune 500 companies.
This announcement follows a supply chain attack that occurred more than four years ago. During that incident, attackers compromised the software's update mechanism and deployed malware designed to collect sensitive data from affected systems.
In December 2022, the company also patched several vulnerabilities in Passwordstate. Among them was an authentication bypass affecting the API (CVE-2022-3875, CVSS score: 9.1). This flaw could have allowed an unauthenticated remote attacker to access users' plaintext passwords.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
