# Password Manager Vulnerabilities Exposed
Recent findings have unveiled significant security vulnerabilities in popular password manager extensions used in web browsers. These weaknesses can potentially lead to the theft of sensitive information, including account credentials, two-factor authentication (2FA) codes, and credit card details.
## Clickjacking Technique Uncovered
The vulnerabilities were highlighted by independent security researcher Marek Tóth at the DEF CON 33 security conference. He introduced a technique known as Document Object Model (DOM)-based extension clickjacking. Tóth explained that an attacker could craft a malicious web page where a simple click from a user could allow for the exploitation of sensitive data, ranging from credit card numbers to login credentials.
## Understanding Clickjacking
Clickjacking, often termed UI redressing, is a deception method that tricks users into performing actions on a website that appear harmless. For example, users might think they are closing a pop-up window when, in fact, they are executing an action designated by the attacker.
Tóth’s research demonstrated how this was possible by employing malicious scripts that manipulate user interface elements injected into the Document Object Model by browser extensions. By rendering crucial prompts, like auto-fill requests, invisible through opacity adjustments, attackers can easily hijack user interactions.
## Vulnerable Password Managers
The investigation focused on 11 widely-used password manager extensions, including notable names such as 1Password, Bitwarden, and Apple’s iCloud Passwords. Each of these extensions is utilized by millions of individuals, thereby amplifying the potential impact of the vulnerabilities.
## The Mechanics of the Attack
To carry out the attack, a malicious actor simply needs to create a deceptive website featuring an intrusive pop-up—such as a login prompt or cookie consent banner. When a user inadvertently clicks to dismiss this pop-up, their password manager could auto-fill sensitive information, which is then sent to an attacker-controlled server.
Tóth highlighted that many password managers are vulnerable not just to the main domain but also to all associated subdomains. This expanded access means that attackers can easily exploit cross-site scripting vulnerabilities to gain access to stored credentials. His findings showed concerning statistics: 10 out of 11 password managers could have their stored data compromised with a single click, and 9 out of 11 could potentially leak two-factor authentication codes.
## Vendor Response and Recommendations
After the vulnerabilities were disclosed responsibly to the concerned parties, six of the affected vendors still had not provided fixes for the issues identified:
– 1Password (Version 8.11.4.27)
– Apple iCloud Passwords (Version 3.1.25)
– Bitwarden (Version 2025.7.0)
– Enpass (Version 6.11.6)
– LastPass (Version 4.146.3)
– LogMeOnce (Version 7.12.4)
Socket, a software supply chain security firm, reviewed these vulnerabilities and confirmed that Bitwarden, Enpass, and iCloud Passwords were actively working on solutions. On the other hand, 1Password and LastPass categorized the findings as informative. Socket has also reached out to US-CERT in hopes of securing Common Vulnerabilities and Exposures (CVE) identifiers for the identified concerns.
While awaiting vendor fixes, users are strongly advised to disable the auto-fill functionality in their password managers as a precautionary measure. Instead, manually copying and pasting sensitive data can help safeguard personal information during this period.
## Practical Security Enhancements
For those using Chromium-based browsers, Tóth suggested configuring site access settings to ‘on click’ within extension options. This adjustment grants users greater control over when their password managers auto-fill credentials, reducing the risk of unintentional data leakage.
By taking these recommended precautions and remaining vigilant, users can better protect their sensitive information in light of these emerging cybersecurity threats.
