In a recent study presented at the DEF CON conference, security researcher Marek Tóth unveiled that numerous popular password managers are susceptible to clickjacking attacks, potentially leading to the unauthorized extraction of sensitive user information. The research specifically examined browser extensions associated with 1Password, Bitwarden, Dashlane, Enpass, Keeper, LastPass, LogMeOnce, NordPass, ProtonPass, RoboForm, and Apple’s iCloud Passwords.
Collectively, these extensions boast nearly 40 million active installations across Chrome, Edge, and Firefox browsers, underscoring the widespread impact of the identified vulnerabilities.
Understanding Clickjacking
Clickjacking is a deceptive technique where attackers overlay transparent or disguised elements over legitimate webpage components. This manipulation tricks users into interacting with hidden malicious elements, leading to unintended actions such as data theft or unauthorized transactions.
Exploitation of Password Managers
Tóth’s research demonstrated how attackers can exploit the Document Object Model (DOM) within browsers to manipulate user interface elements injected by password manager extensions. By leveraging the autofill functionality, malicious actors can extract a range of sensitive data, including personal details, usernames, passwords, passkeys, and payment card information.
The attacks varied in complexity, requiring between zero to five user interactions, with many necessitating just a single click on a seemingly innocuous element. Notably, some single-click attacks exploited existing vulnerabilities like Cross-Site Scripting (XSS).
Technical Mechanism
The DOM serves as an object-oriented representation of web pages, enabling dynamic content manipulation through scripting languages like JavaScript. In these attacks, malicious scripts alter the DOM to render extension-injected elements invisible or reposition them, deceiving users into interacting with concealed malicious components.
Vendor Responses and Mitigation Efforts
Following the disclosure, several vendors have initiated measures to address these vulnerabilities. Bitwarden announced a forthcoming fix in version 2025.8.0, while LogMeOnce acknowledged the issue and is actively developing a security update.
Representatives from 1Password and LastPass provided insights into the challenges of mitigating clickjacking. Jacob DePriest, CISO at 1Password, highlighted the inherent difficulties due to the way browsers render webpages, suggesting that a comprehensive technical solution may be elusive. Instead, 1Password plans to enhance user control by introducing confirmation alerts for autofill actions, extending beyond payment information to other data types.
Alex Cox, Director of Threat Intelligence at LastPass, emphasized the delicate balance between user experience and security. LastPass has implemented safeguards like pop-up notifications before autofilling sensitive information and is exploring additional protective measures. Users are advised to remain vigilant, avoid interacting with suspicious overlays, and ensure their extensions are up to date.
Broader Implications and Preventative Measures
The findings underscore the persistent threat posed by clickjacking, a technique that has been exploited in various contexts over the years. To mitigate such risks, organizations and individuals can adopt several strategies:
1. Browser Protections: Utilize browser plugins like NoScript or NotScript, which prompt users to allow JavaScript actions on sites they visit, thereby reducing the risk of malicious scripts executing without consent.
2. X-Frame-Options Header: Implement the HTTP X-Frame-Options header to prevent your website from being embedded in iframes, a common method used in clickjacking attacks.
3. Web Application Firewalls (WAFs): Deploy WAFs to monitor and filter HTTP traffic, blocking malicious requests that could exploit vulnerabilities.
4. Email Security: Strengthen email filters to prevent phishing attempts that may lead users to malicious sites designed for clickjacking.
By adopting these measures, users and organizations can enhance their defenses against clickjacking and similar attack vectors.
