A recent cybersecurity investigation has uncovered critical zero-day clickjacking vulnerabilities in eleven prominent password management applications, potentially compromising the security of tens of millions of users. These vulnerabilities could allow malicious actors to extract sensitive information, including login credentials, credit card details, personal data, and two-factor authentication codes, through deceptive user interactions.
Introduction to the Vulnerabilities
Security researcher Marek Tóth has identified a novel attack method termed DOM-based Extension Clickjacking. This technique represents a significant advancement over traditional clickjacking attacks, which typically involve overlaying invisible iframes to trick users into clicking on concealed elements. In contrast, the DOM-based approach manipulates the Document Object Model (DOM) of web pages to hide user interface components injected by password manager extensions, rendering them invisible yet interactive.
Mechanism of the Attack
The attack exploits JavaScript to adjust the opacity and positioning of extension UI elements, effectively hiding them from the user’s view. When a user visits a compromised website, they may encounter seemingly benign elements such as cookie consent banners or CAPTCHA challenges. Unbeknownst to them, clicking on these elements can trigger the automatic filling and submission of hidden forms with their stored sensitive data, which is then transmitted to the attacker.
Scope of the Vulnerability
Tóth’s comprehensive analysis encompassed eleven widely used password managers, including 1Password, Bitwarden, LastPass, Dashlane, Keeper, and others. The findings were alarming: all tested applications were initially susceptible to at least one variant of the DOM-based Extension Clickjacking technique. Collectively, these vulnerabilities affect approximately 40 million active installations across platforms such as the Chrome Web Store, Firefox Add-ons, and Edge Add-ons.
Specific Findings
– Credit Card Information Exposure: Six out of nine tested password managers were vulnerable to attacks that could extract stored credit card details.
– Personal Information Leakage: Eight out of ten applications could be exploited to exfiltrate personal information stored within the password manager.
– Credential Theft: Ten out of eleven password managers were susceptible to attacks aimed at stealing login credentials, including Time-based One-Time Password (TOTP) codes used for two-factor authentication.
Vendor Responses and Current Status
Following responsible disclosure in April 2025, several vendors have taken steps to address these vulnerabilities:
– Patched Applications: Dashlane, Keeper, NordPass, ProtonPass, and RoboForm have successfully implemented fixes to mitigate the identified risks.
– Unpatched Applications: As of August 2025, major password managers including 1Password, Bitwarden, LastPass, iCloud Passwords, Enpass, and LogMeOnce remain vulnerable. These unpatched applications account for approximately 32.7 million active installations, leaving a significant user base at risk.
Implications and Challenges
The persistence of these vulnerabilities underscores the challenges in securing browser extensions against sophisticated client-side attacks. Traditional clickjacking defenses, such as HTTP headers like X-Frame-Options or Content-Security-Policy, are ineffective against DOM-based attacks. This necessitates more comprehensive defensive measures at the extension level to protect users effectively.
Attack Scenarios and Real-World Impact
The research outlines multiple attack scenarios with varying levels of complexity:
– Attacker-Controlled Websites: Malicious actors can create websites designed to exploit these vulnerabilities, stealing credit card details and personal information without needing to compromise legitimate services.
– Subdomain Attacks: Attackers can exploit cross-site scripting (XSS) vulnerabilities in subdomains of legitimate websites to execute the attack, potentially affecting a broader range of users who trust the main domain.
Recommendations for Users
Given the severity of these vulnerabilities, users are advised to take the following precautions:
1. Update Password Managers: Ensure that your password manager is updated to the latest version. Check the vendor’s official communications for information on security patches addressing these vulnerabilities.
2. Be Cautious of Unfamiliar Websites: Exercise caution when interacting with unfamiliar websites, especially those requesting clicks on elements like consent banners or CAPTCHA challenges.
3. Monitor for Suspicious Activity: Regularly monitor your accounts for unauthorized access or unusual activity, and change passwords immediately if suspicious behavior is detected.
4. Enable Additional Security Measures: Utilize additional security features offered by password managers, such as biometric authentication or hardware security keys, to add an extra layer of protection.
Conclusion
The discovery of DOM-based Extension Clickjacking vulnerabilities in major password managers highlights the evolving nature of cyber threats and the importance of continuous vigilance in cybersecurity practices. Users must stay informed about potential risks and take proactive steps to secure their digital information. Meanwhile, it is imperative for software vendors to prioritize the development and deployment of robust security measures to protect users from such sophisticated attacks.
