At DEF CON 33, a prominent hacking conference, ethical hacker Marek Tóth brought to light critical vulnerabilities in popular password managers such as Dashlane, Nordpass, and 1Password. In a detailed post on his website, Tóth outlined the methods employed by attackers, specifically focusing on clickjacking—a deceptive technique where users unknowingly click on invisible elements on their screen, inadvertently handing over vital information to fraudsters.
The root of the issue lies within the browser extensions of these password managers. When not adequately safeguarded, these extensions can be exploited to create invisible overlays on the screen. These overlays, when placed over visible HTML elements, trick users into clicking where they shouldn’t—such as cookie acceptance prompts and CAPTCHAs—thereby revealing sensitive data like credit card numbers, two-factor authentication (2FA) codes, and login credentials.
Clickjacking Exploits in Password Managers
Tóth elaborated on the two primary techniques used in these clickjacking attacks: through iframe overlaying and DOM manipulation. These methods allow attackers to inject malicious HTML elements into the extension documents, turning the normal functionality of password managers into a conduit for data theft. Notably, password managers are designed to securely store not only login credentials but also credit card information, addresses, and other personal details.
The ingenuity of the attack lies in its ability to identify the specific password manager in use and dynamically adjust to steal data, even if a user switches managers rapidly. Tóth tested 11 widely-used password managers:
- 1Password
- Bitwarden
- Dashlane
- Enpass
- Keeper
- iCloud Passwords
- LastPass
- LogMeOnce
- NordPass
- ProtonPass
- RoboForm
After discovering the vulnerabilities, Tóth, in collaboration with cybersecurity firm Socket, notified all the companies in April 2025, well ahead of his public disclosure. Alarmingly, some companies, such as 1Password and LastPass, downplayed the findings, labeling them as merely informative or outside the scope of their responsibility, attributing clickjacking to a general internet risk.
Bitwarden initially minimized the severity of the warning but later acknowledged the issue, announcing that version 2025.8.0 would include security patches. LogMeOnce did not respond to Tóth’s findings. On a more proactive note, Dashlane, NordPass, ProtonPass, Keeper, and RoboForm updated their extensions to address the vulnerabilities. However, outdated versions remain at risk, including:
- 1Password 8.11.4.27
- Bitwarden 2025.7.0
- Enpass 6.11.6
- iCloud Passwords 3.1.25
- LastPass 4.146.3
- LogMeOnce 7.12.4
Protecting Against Clickjacking
Tóth provided several recommendations for both companies and users to mitigate these risks. He emphasized disabling the manual fill function, as it is the primary vector through which passwords are exposed to attackers. Instead, users should opt for automatic filling or manually copy and paste passwords to avoid the clickjacking trap. Although less convenient, this method significantly enhances security.
Users are also advised to ensure their extension versions are up-to-date, as many companies have already issued patches. According to Tóth’s calculations, as many as 40 million individuals could have been susceptible to these attacks due to the widespread use of vulnerable password manager extensions.
The revelation of these vulnerabilities serves as a stark reminder of the importance of maintaining updated software and being vigilant about how personal data is managed and shared online. While password managers are essential tools for maintaining strong, unique passwords across various accounts, users must remain aware of the potential risks and take proactive steps to protect their information.
Source: Canal Tech
