A dependable password supervisor is an important and really helpful a part of your cybersecurity toolkit, together with a VPN and antivirus software program. However, nothing is proof against vulnerabilities.
A clickjacking assault may very well be used to steal information from a number of password managers utilizing autofill settings, resembling at Defcon 33 carried out by Czech Republic-based safety researcher Marek Tóth. This exploit solely works with password supervisor browser extensions, not desktop or cellular apps.
A clickjacking assault might seize bank card data, private information, usernames and passwords, passcodes, or time-based one-time passwords.
Here’s what you could know, together with how the vulnerability works, which password managers are at the moment vulnerable, and what you are able to do to remain safe.
Web-based clickjacking assault may very well be used to seize delicate information from password managers
is an assault that depends on a person performing an motion, resembling clicking a button, within the perception that the person is doing one factor when in truth they’re doing one other. For instance, you might even see a button on a web site that encourages you to obtain a plugin or firmware replace, however as an alternative of downloading what’s promised, it really sends you an online web page or software executed by an attacker.
Clickjacking can be utilized to seize your information resembling usernames, passwords, and banking data.
According to Tóth’s analysis, some password managers are vulnerable to an exploit: If you unknowingly click on on an online half that’s a part of an attacker’s clickjacking scheme, your usernames, passwords, and even banking data may very well be shared.
For instance, you may click on on what you suppose is an harmless CAPTCHA, and when you resolve the clickjacking CAPTCHA, your password supervisor begins autocomplete, selects all saved gadgets, and sends that information to an attacker. But as Tóth demonstrated, you will not see your password supervisor autofill beginning, as a result of the attacker’s web site has set the opacity in order that your password supervisor home windows are invisible to you.
This is definitely not a password manager-specific vulnerability, however relatively a web-based assault.
While Tóth demonstrated how Attack primarily based on the doc object mannequin, or DOM may very well be used to execute malicious code in your browser, it’s technically a web-based assault that web sites and browsers are vulnerable to, not a vulnerability distinctive to password managers.
Tóth affords doable options to mitigate the vulnerability, stating that “the most secure resolution is to indicate a brand new pop-up window” when it auto-completes, though he admits that “that can be very inconvenient for customers.”
There is at the moment some debate about one of the best ways to deal with the state of affairs. 1Passphrase CISO Jacob DePriest shared an e mail assertion with CNET, noting that copying and pasting passwords can current different dangers and that the corporate is concentrated on addressing them.
“We take this and all safety considerations significantly, and our strategy to this explicit danger is to give attention to giving clients extra management. 1Passphrase already requires affirmation earlier than routinely filling fee data. Our subsequent launch, already shipped and below assessment by browser extension shops, extends that safety so customers can select to allow affirmation alerts for different forms of information. This helps customers keep knowledgeable when autofill happens and answerable for their information,” DePriest mentioned.
Clickjacking isn’t a brand new risk to password supervisor browser extensions, and copying and pasting credentials like usernames or passwords may very well be a cybersecurity risk in itself. For instance, if in case you have been compromised by a keylogger – which logs your keystrokes and might seize data that you just copy and paste – or for those who unintentionally paste your password someplace undesirable.
Several password managers have begun providing full or partial patches to deal with potential browser plugin vulnerabilities. As of this writing, NordPass, ProtonPass, RoboForm, Keeper, Dashlane, Enpass, 1Passphrase, Bitwarden, and FinalPass have carried out or begun implementing full or partial fixes.
Bitwarden instructed CNET through e mail that its model 2025.8.0, which is rolling out now to browser shops, consists of the core repair. The crew can also be getting ready one other replace (2025.8.1) to mitigate danger in different eventualities. “As at all times, the simplest protections stay what they’ve at all times been: staying alert for suspicious URLs, avoiding malicious web sites, and staying alert in opposition to phishing campaigns,” a Bitwarden consultant mentioned.
For its half, FinalPass has carried out sure safety measures in opposition to clickjacking, together with a pop-up notification that seems earlier than routinely filling in bank card and private data on all websites. Alex Cox, director of risk intelligence, mitigation and escalation at FinalPass, instructed CNET through e mail that the corporate is dedicated to exploring methods to additional shield customers. “In the meantime, our Threat Intelligence, Mitigation, and Escalation (TIME) crew encourages all password supervisor customers to stay vigilant, keep away from interacting with suspicious overlays or pop-ups, and preserve their FinalPass extensions updated.”
iCloud Passwords reportedly has fixes in progress.
These are the variations you need to use:
- North Pass: 5.13.24 or later
- Proton move: 1.31.6 or later
- RoboForm: 9.7.6 or later
- Guardian: 17.2.0 or later
- Dashlane:
- Bitwarden: 2025.8.0 or later (core repair), 2025.8.1 or later (further mitigations)
- Pass: 6.11.6 or later
- 1Passphrase: 8.11.7.2 or later (8.11.7 within the Apple Store)
Here’s what you are able to do to remain secure
Several password managers have already taken motion, with full or partial mitigations carried out (or within the strategy of being carried out) of NordPass, ProtonPass, Keeper, RoboForm, Bitwarden, Dashlane, Enpass, 1Passphrase and FinalPass. But you may wish to be sure to’re utilizing the most recent model of every browser extension to make sure you have the patch put in.
If you are involved, you should utilize your password supervisor’s cellular or desktop app as an alternative of the browser add-on: Clickjacking is a web-based assault, that means solely net extensions are susceptible. So in case your password supervisor hasn’t but offered a repair for the browser add-on, you may nonetheless safely use the cellular or desktop app.
Because clickjacking isn’t an unique assault on password managers, you’ll want to train logic and warning. Be cautious of pop-ups, banner adverts, and CAPTCHAs, particularly if they appear suspicious. You can strive hovering over parts on the web page with out clicking, and the underside of your net browser window ought to present you the hyperlink ready for you, so you may see if it seems to be reputable.
Since the clickjacking assault depends on autofill, you may disable the autofill settings of your password supervisor browser extension, as an alternative of copying and pasting your varied account credentials. That approach, in case you are the sufferer of a clickjacking assault that makes an attempt to routinely fill in your password supervisor data, you is probably not profitable.
But copying and pasting can go away you susceptible if a keylogger is compromised. You might even unintentionally ship somebody your username, password, or different data since you forgot what you final copied.
If you’re involved that your passwords have been compromised, you may create new ones. Most password managers embody password turbines, however for those who desire to create your individual, I like to recommend that you just comply with the Recommendations from the US Cybersecurity and Infrastructure Security Agency in order that your passwords are no less than 16 characters lengthy, together with a mix of letters, numbers, and particular characters.
In addition to a password supervisor, you need to use a VPN when you might have privateness considerations, resembling hiding your net looking and app exercise out of your ISP, in addition to antivirus software program. Many VPNs and antivirus apps embody advert blockers, trackers, and pop-ups, which may help shield in opposition to malicious websites or hyperlinks.
You can typically mix cybersecurity software program to get a handy package deal, though bundling has benefits and downsides. While we usually advise in opposition to many free providers, we assure choose free VPNs and antivirus software program.
While I do not suppose you need to panic and abandon ship, for those who’re actually apprehensive you may at all times change to a password supervisor that has carried out a patch, or just use desktop and cellular apps as an alternative of browser add-ons.
To study extra, study why you need to use a password supervisor and the way to set one up.
