Click Studios, the Australian company behind the enterprise password management solution Passwordstate, has recently released a security update to address a significant authentication bypass vulnerability. This flaw, which had not been assigned a Common Vulnerabilities and Exposures (CVE) identifier at the time of the update, was rectified in Passwordstate version 9.9 (Build 9972), made available on August 28, 2025.
The vulnerability in question allowed unauthorized access through a meticulously crafted URL targeting the Emergency Access page of Passwordstate. Recognizing the potential risks associated with this flaw, Click Studios acted promptly to develop and deploy a patch to safeguard its user base.
In addition to addressing the authentication bypass issue, the latest update introduces enhanced protections against clickjacking attacks on the Passwordstate browser extension. Clickjacking is a malicious technique where an attacker tricks a user into clicking on something different from what the user perceives, potentially leading to unauthorized actions or data exposure. These new safeguards are particularly pertinent in light of recent research by security expert Marek Tóth. Earlier this month, Tóth unveiled a method known as Document Object Model (DOM)-based extension clickjacking, which has been found to affect several password manager browser add-ons. This technique can deceive users into inadvertently revealing sensitive information, including credit card details, personal data, login credentials, and Time-based One-Time Passwords (TOTPs).
Click Studios’ proactive measures underscore its commitment to security, especially considering its extensive user base. The company reports that Passwordstate is utilized by 29,000 customers and 370,000 security and IT professionals worldwide. This clientele spans various sectors, including global enterprises, government agencies, financial institutions, and Fortune 500 companies.
This recent update is part of Click Studios’ ongoing efforts to fortify Passwordstate against potential threats. Over the past few years, the company has faced and addressed multiple security challenges. Notably, in April 2021, Click Studios experienced a supply chain attack where malicious actors compromised the software’s update mechanism. This breach allowed attackers to deploy malware capable of harvesting sensitive information from affected systems. The incident highlighted the critical importance of securing software supply chains and prompted the company to implement more stringent security protocols.
Further emphasizing its dedication to security, Click Studios addressed several vulnerabilities in December 2022. Among these was an authentication bypass flaw in Passwordstate’s API, identified as CVE-2022-3875 with a Common Vulnerability Scoring System (CVSS) score of 9.1. This particular vulnerability could have been exploited by unauthenticated remote attackers to access users’ plaintext passwords. The company responded by releasing updates to mitigate these risks and enhance the overall security posture of Passwordstate.
The recent updates and patches reflect Click Studios’ ongoing commitment to providing a secure password management solution for its diverse user base. By promptly addressing vulnerabilities and implementing additional security measures, the company aims to maintain the trust and confidence of its customers in an increasingly complex cybersecurity landscape.
