- cross-posted to:
- cybersecurity@sh.itjust.works
- cross-posted to:
- cybersecurity@sh.itjust.works
Fixed: NordPass, ProtonPass, RoboForm, Dashlane, Keeper
Still vulnerable: Bitwarden, 1Password, iCloud Passwords, Enpass, LastPass, LogMeOnce
Key Points
- A new clickjacking technique where a malicious script manipulates UI elements that browser extensions inject into the DOM by making them invisible using javascript.
- In my research, I selected 11 password managers that are used as browser extensions and the result was that all were vulnerable to “DOM-based Extension Clickjacking”. Tens of millions of users could be at risk (~40 million active installations).
- A single click anywhere on the attacker’s website could leak credit card details including security codes (6 out of 9 were vulnerable) or exfiltrate stored personal information (8 out of 10 vulnerable).
- All password managers filled credentials not only to the “main” domain, but also to all subdomains. An attacker could easily find XSS or other vulnerabilities and steal the user’s stored credentials with a single click (10 out of 11), including TOTP (9 out of 11). In some scenarios, passkey authentication could also be exploited (8 out of 11).
- All vulnerabilities were reported in April 2025 with a notice that public disclosure will be in August 2025. Some vendors have still not fixed described vulnerability: Bitwarden, 1Password, iCloud Passwords, Enpass, LastPass, LogMeOnce. Users of these password managers may still be at risk (~32.7 million active installations).
- For Chromium-based browser users it is recommended to configure site access to “on click” in extension settings. This configuration allows users to manually control autofill functionality.
- The described technique is general and I only tested it on 11 password managers. Other DOM-manipulating extensions are probably vulnerable (password managers, crypto wallets, notes etc.).
As I understood, vector of attack is the autofill function? If you disable it you’re probably safe? -ish?..
(Im a webdev, we don’t do security hur hur)
The attack vector is an autofill function on a compromised website that has attackers javascript running either injected in a webpage or on a subdomain hosting user content. Since autofill will never fill passwords from another domain, others won’t be at risk. But why bother with clickjacking at that point, you could just have your malicious script read the password values silently once the user enters it, password manager or not. That’s not a password manager problem, that’s the problem of the vulnerable website.
The one which is actually dangerous that shared all password for all domains actually had a bug bounty awarded to the guy and is now fixed, good for him on finding that. The rest is really a non issue , I wouldn’t worry that much.
Though credit card details and personal user info autofill might be problematic since those are not site-bound. I would either disable those or just not store them in the password manager.
So long story short, compromised websites can steal your password if you give them your password.
But that’s so much less fun as a headline!