Password manager browser extensions found vulnerable to clickjacking attacks

A new security flaw could let attackers steal login credentials, credit card data, and two-factor codes from millions of users with a single click.

What happened

Independent researcher Marek Tóth has uncovered a vulnerability in popular password manager browser extensions that makes them susceptible to a type of clickjacking attack. The flaw, dubbed DOM-based extension clickjacking, was presented earlier this month at DEF CON 33. The vulnerability allows an attacker-controlled website to trick users into unintentionally triggering an auto-fill event, which could expose stored information including usernames, passwords, 2FA codes, and even credit card numbers.

Going deeper

Clickjacking, or UI redressing, is a well-known technique where attackers manipulate a website’s interface to get users to click on hidden elements. In this case, the attack targets browser extensions that inject auto-fill elements into the Document Object Model (DOM). Malicious scripts can make these elements invisible by setting their opacity to zero, while overlaying fake pop-ups or banners to draw the user’s click.

Tóth’s research tested 11 popular password manager extensions, including 1Password, iCloud Passwords, Bitwarden, Enpass, LastPass, and LogMeOnce. All were found vulnerable to some degree, with most allowing the theft of credentials and time-based one-time passcodes (TOTPs). Some scenarios also exposed passkey authentication.

Six vendors have yet to fully patch the flaws, although Bitwarden has released version 2025.8.0 to address the issue. Apple’s iCloud Passwords and Enpass are actively working on fixes, while 1Password and LastPass classified the findings as “informative.”

What was said

“A single click anywhere on an attacker-controlled website could allow attackers to steal users’ data,” Tóth said, warning that the technique could be adapted to other extensions beyond password managers.

Software security firm Socket, which reviewed the research, confirmed the severity and said it has reached out to US-CERT to assign CVE identifiers.

Until fixes are issued, Tóth recommends disabling auto-fill and switching browser extension permissions to “on click” for better control.

The big picture

According to Malwarebytes Labs, the attack goes far beyond stealing login details. It “can also pilfer other information stored in password managers, including credit card information, personal data like your name and phone number, passkeys… and time-based one-time passwords (TOTP).” This makes the threat especially dangerous, as it targets multiple layers of authentication and sensitive personal data.

FAQs

What is DOM-based extension clickjacking?

It’s a technique where attackers manipulate invisible elements injected by browser extensions into web pages, tricking users into unintentionally revealing stored information.

How is this different from traditional clickjacking?

Traditional clickjacking hides or disguises webpage buttons, while DOM-based extension clickjacking specifically targets browser extension elements like auto-fill prompts.

Which password managers were tested in the research?

The study looked at 11 extensions including 1Password, iCloud Passwords, Bitwarden, Enpass, LastPass, and LogMeOnce. All showed vulnerabilities.

What can users do right now to protect themselves?

Experts recommend disabling auto-fill, using copy/paste instead, and configuring extensions to work “on click” rather than automatically.

Could other types of browser extensions be affected?

Yes. The researcher emphasized that the technique could be generalized to exploit other extensions that inject elements into the DOM.