An infosec specialist has discovered that six of the most popular password managers, used by tens of millions of people, are vulnerable to clickjacking, enabling attackers to steal credentials, two-factor authentication codes, and bank card data.
Independent researcher Marek TĂłth was the first to report this issue, presenting a talk on the vulnerabilities at the recently held DEF CON 33 hacker conference. His findings were later confirmed by experts from Socket, who helped notify the affected vendors and coordinate the public disclosure of the vulnerabilities.
The researcher tested their attack on specific versions of 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce and found that all browser-based versions can allow sensitive data to leak in certain scenarios.
Attackers can exploit vulnerabilities when victims visit malicious pages or sites that are vulnerable to XSS attacks or cache poisoning. As a result, the attackers can overlay invisible HTML elements on top of the password manager’s interface. The user will believe they are interacting with harmless clickable elements on the page, but in reality they will trigger autofill, which will “leak” their sensitive information to the hackers.
The attack revolves around launching a script on a malicious or compromised site. This script uses transparency settings, overlays, or the pointer-events property to hide the browser password manager’s autofill dropdown menu.
At the same time, the attacker overlays the page with fake, user-annoying elements (for example, cookie banners, pop-up windows, or CAPTCHAs). But clicks on these elements land on hidden password manager controls, causing forms to be filled with sensitive information.
He demonstrated several DOM subtypes and ways to exploit the same bug: direct manipulation of DOM elements’ opacity, manipulation of the root element’s opacity, manipulation of the parent element’s opacity, and partial or full overlay.
The researcher also demonstrated a technique in which the UI follows the mouse cursor, so any user click, wherever it occurs, triggers autofill. Tot emphasized that a malicious script can automatically detect the active password manager in the victim’s browser and then tailor the attack to the specific target in real time.
As a result, the researcher tested 11 password managers for susceptibility to clickjacking and found that all of them were vulnerable to at least one attack method.
Although Tot notified all vendors about the issues back in April 2025 and also warned them that public disclosure of the vulnerabilities was planned for DEF CON 33, there was no prompt response.
Last week, Socket experts reached out to the developers once more to notify them again of the need to assign CVE IDs to the issues in the relevant products.
Representatives of 1Password marked the researcher’s report as “informational,” arguing that clickjacking is a general threat that, essentially, users themselves should protect against.
The LastPass developers also found the report “informative,” while Bitwarden acknowledged the issues; although the company did not consider them serious, fixes were included in version 2025.8.0, released last week.
At the same time, neither Totu nor Socket were able to contact the LogMeOnce developers. Only after numerous media reports did LogMeOnce representatives tell Bleeping Computer that they had already prepared a patch.
Currently, the following password managers, which together have about 40 million users, are vulnerable to clickjacking attacks:
- 1Password 8.11.4.27
- Bitwarden 2025.7.0
- Enpass 6.11.6 (a partial fix was implemented in version 6.11.4.2)
- iCloud Passwords 3.1.25
- LastPass 4.146.3
- LogMeOnce 7.12.4
Patches have already been rolled out for the following products: Dashlane (v6.2531.1 released on August 1), NordPass, ProtonPass, RoboForm, and Keeper (17.2.0 released in July). Users are now advised to ensure they have the latest available versions installed.
LastPass representatives told the media that they have already implemented certain protections against clickjacking, including a pop-up notification that appears before autofilling payment card and personal data. The developers also promised to explore further ways to protect users.
1Password reiterated that the clickjacking issue is not unique to the company’s browser extension.
“This is a well-known web attack technique that affects websites and browser extensions in general. Since the underlying issue lies in how browsers render web pages, we believe there is no comprehensive technical fix that browser extensions can implement on their own,” 1Password says, noting that the extension already requires confirmation before autofilling payment information, and that in the next release users will be able to enable similar warnings for other types of data.
To protect against such attacks, Tot and experts at Socket recommend that users disable the autofill feature in password managers altogether and use copy-and-paste only.
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →