Understanding the Threat of DOM-Based Extension Clickjacking
In recent discussions about online security, a new vulnerability has emerged, termed DOM-based extension clickjacking. This technique presents significant risks to users relying on browser-based password managers for safeguarding sensitive information—like login credentials, credit card numbers, and time-based one-time passwords (TOTP). The crux of the issue lies in how easily a deceptive click can lead to comprehensive data compromise.
What is DOM-Based Extension Clickjacking?
Security researcher Marek Tóth introduced DOM-based extension clickjacking at DEF CON 33, held in August. His findings revealed that attackers could manipulate the Document Object Model (DOM) elements supplied by password manager extensions to their advantage.
This exploitation works by obscuring the legitimate autofill interfaces through CSS techniques such as setting opacity: 0 or placing them out of view. Malicious actors can then overlay bogus user interface elements—like fake cookie consent forms—to trick users into clicking these deceptive buttons. This seemingly innocuous interaction can inadvertently trigger the hidden autofill processes, allowing attackers to capture critical data without the user’s knowledge.
Scope and Significance of the Attack
The impact of this vulnerability was tested across 11 popular password manager extensions, with concerning results:
- Credential theft was effective in 10 out of 11 cases.
- Credit card information, including CVV numbers, could be extracted from 6 out of 9 tested managers.
- Personal data exfiltration was achievable in 8 out of 10 instances.
- Authentication using passkeys was compromised in 8 of the 11 extensions.
This raises alarms for approximately 40 million potential users worldwide, as reflected in the download statistics from major browser stores. Notably, the threat extends beyond just Chromium-based browsers; other frameworks are also affected.
Mechanics of the Exploit
This attack unfolds in a series of carefully orchestrated steps:
-
User Interaction Hijacking: The attacker presents a false UI overlay—such as a cookie consent box—to the victim, luring them into interaction.
-
Bypassing Overlay Protections: The malicious overlay is designed with the CSS property
pointer-events: none, allowing user clicks to slip through to the autofill elements beneath. -
Fake Form Injection: Autocomplete fields are adeptly positioned beneath the user’s cursor, and a cleverly designed JavaScript function captures the autofilled information through
onchangeevents or via logging in the browser console. - Mouse Tracking: The exploit includes dynamically tracking the user’s mouse position to ensure that fake inputs align seamlessly with real user actions, enhancing the effectiveness of the attack.
Remarkably, in some scenarios, sensitive login details and personal information were pilfered with just two clicks. The danger is amplified as this technique can bypass domain restrictions. For instance, if a flaw exists on a subdomain, it may be exploited to steal information from the main domain.
Even passkeys, often viewed as secure due to their domain binding, are not immune. Tóth noted vulnerabilities in implementations by various providers such as SK Telecom and Hanko, where hijacking was possible through similar methods.
Responses from Vendors
In response to this significant security threat, several vendors acted upon a responsible disclosure notice received in April 2025, issuing patches to address the vulnerability. Notable updates include:
- Fixed: Dashlane, NordPass, Keeper, ProtonPass, RoboForm.
- Still Vulnerable (as of August 2025): 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, LogMeOnce.
While some companies like Bitwarden and Enpass are reportedly working on fixes, both 1Password and LastPass have categorized this vulnerability as “informative,” indicating a lack of urgency in addressing the issue.
To mitigate the risks associated with DOM-based extension clickjacking, it’s advisable for users to disable autofill, restrict extension permissions to “on click,” and consider using standalone password managers. Developers are encouraged to adopt protective measures such as closed shadow DOMs and mutation observer techniques; however, a universal solution has yet to be established. This vulnerability illustrates a growing threat in the digital landscape—a challenge that requires prompt attention from both users and developers alike.
