Zero-Day
sysops

A cybersecurity researcher has disclosed zero-day clickjacking vulnerabilities affecting eleven major password managers, potentially exposing tens of millions of users to credential theft through a single malicious click.

The research, conducted by security expert Marek Tóth, reveals that attackers can exploit these vulnerabilities to steal credit card details, personal information, login credentials, and even two-factor authentication codes from unsuspecting users.

The new attack technique, dubbed “DOM-based Extension Clickjacking,” represents a significant evolution from traditional web-based clickjacking attacks.

DOM-based Extension Attack Chain

Unlike conventional methods that target web applications through invisible iframes, this technique manipulates user interface elements that password manager extensions inject into web page DOM structures, making them invisible while remaining clickable.

The attack works by creating malicious scripts that hide extension UI elements using JavaScript manipulation, particularly through opacity adjustments and DOM overlay techniques.

When users encounter seemingly legitimate elements like cookie consent banners or CAPTCHA challenges on compromised websites, a single click can trigger the automatic filling of hidden forms with their stored sensitive data.

Extensive Testing Reveals Widespread Vulnerability

Tóth’s comprehensive research tested eleven popular password managers, including industry leaders such as 1Password, Bitwarden, LastPass, Dashlane, Keeper, and others.

The results were alarming: all tested password managers were initially vulnerable to at least one variant of the DOM-based Extension Clickjacking technique.

The vulnerabilities affect approximately 40 million active installations across Chrome Web Store, Firefox Add-ons, and Edge Add-ons platforms.

Six out of nine tested password managers were vulnerable to credit card detail extraction, while eight out of ten could be exploited to exfiltrate stored personal information.

Perhaps most concerning, ten out of eleven password managers were susceptible to credential theft, including Time-based One-Time Password (TOTP) codes used for two-factor authentication.

Following responsible disclosure in April 2025, several vendors have implemented fixes. Dashlane, Keeper, NordPass, ProtonPass, and RoboForm have successfully patched their extensions against the described attack methods.

However, major players, including 1Password, Bitwarden, LastPass, iCloud Passwords, Enpass, and LogMeOnce, remain vulnerable as of August 2025, representing approximately 32.7 million active installations still at risk.

Vulnerable password managers

The persistence of these vulnerabilities in widely used password managers highlights the complexity of securing browser extensions against sophisticated client-side attacks.

Unlike traditional clickjacking, which can be mitigated through HTTP headers like X-Frame-Options or Content-Security-Policy, DOM-based attacks require more comprehensive defensive measures at the extension level.

Attack Scenarios and Real-World Impact

The research demonstrates multiple attack scenarios with varying levels of sophistication. On an attacker-controlled website, malicious actors can steal credit card details and personal information without requiring any existing vulnerabilities in legitimate services.

PoC Published by a researcher

More concerning is the subdomain attack vector, where attackers exploit Cross-Site Scripting (XSS) vulnerabilities or subdomain takeovers to target users on trusted domains.

Password managers typically autofill credentials not only on the exact domain where they were saved but also on all subdomains, significantly expanding the attack surface.

This means an attacker finding XSS on any subdomain can potentially steal a user’s primary account credentials through clickjacking techniques.

While comprehensive fixes require action from extension developers, users can implement several protective measures. For Chromium-based browsers, security experts recommend configuring extension site access to “on click” rather than automatic access, giving users manual control over autofill functionality.

The research also highlights the importance of keeping password manager extensions updated, as several vendors have released patches following the disclosure.

Fix in progress

Users should verify they’re running the latest versions and consider disabling manual autofill features if available, though this may reduce convenience.

The discovery of these vulnerabilities underscores the evolving nature of web security threats and the need for continuous security research in browser extension ecosystems.

As password managers become increasingly central to digital security practices, ensuring their resilience against sophisticated client-side attacks becomes paramount for protecting millions of users’ sensitive data.

Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial → 

Related Posts

The cybersecurity landscape in 2024 has been marked by a significant surge in malware and vulnerabilities.  The Key trends include…

A joint report by AhnLab Security Emergency response Center (ASEC) and the National Cyber Security Center (NCSC) has revealed a…

A critical zero-day vulnerability has been identified in the Arcadyan FMIMG51AX000J model and potentially other devices affiliated with the WiFi…