-
A clickjacking technique exposes millions of password manager users
-
It affects browser extensions such as those from 1Password, Bitwarden, or LastPass.
-
Some companies still haven't applied patches despite having been notified in April
We trust our password managers as if they were digital safes. But, according to expert Marek Tóth, simply visiting the wrong website and clicking where you shouldn't is enough to compromise that security. The technique he presented in DEF CON 33 It's not about the applications, but about the extensions we use daily in the browser. In his tests, he claims that this gesture can activate an information theft system without the user noticing.
The research, made public at a major international cybersecurity conference, documents how eleven password manager extensions could be manipulated to leak data. Tóth states that he notified the manufacturers of the finding in April 2025 and that several remained unpatched by mid-August. The study includes practical tests, websites designed to demonstrate the vulnerability, and an estimate of its scope: approximately 40 million potentially exposed active installations.
How the attack works and why it affects you
The technique described by Tóth is based on hiding the elements that extensions insert into the page so that the user interacts with them without seeing them. With minimal changes in opacity or overlap, the attacker manages to... Autofill is activated in the backgroundAnd there are several ways to achieve this, from manipulating the root element of the extension to altering the entire body of the site, in addition to overlay variations.
The most delicate scenario arises when a fake website isn't necessary; simply exploiting a legitimate page with a security flaw is enough. In these cases, he explains, the attacker can capture login credentials. The risk increases because many administrators fill in data not only on the main domain but also on subdomains, expanding the attack surface without the user noticing.
According to data published by Tóth and collected by SocketAs of August 19, 1Password, Bitwarden, and Enpass were still listed as vulnerable. iCloud PasswordsLastPass and LogMeOnce. On August 20, Socket updated that Bitwarden had shipped version 2025.8.0 with a patch, pending distribution in extension stores. Among the wallets that did implement fixes are NordPass, Dashlane, Keeper, ProtonPass, and RoboForm. However, this list may change at any time if other companies release fixes after this announcement.
Xakata images with Gemini 2.5
The reaction from manufacturers was mixed. Socket notes that 1Password and LastPass classified the vulnerability as “informational,” a category that usually implies no immediate changes. Bitwarden, Enpass, and Apple (iCloud Passwords) confirmed that They are working on updatesLogMeOnce did not respond to attempts to contact them. Some companies acknowledged the risk but attributed it to external vulnerabilities on the visited websites.
While some developers are still deciding how to proceed, Tóth and the Socket team agree that there are practical measures to reduce exposure. One of the most effective is disabling manual autofill and resorting to copy and paste. It's also recommended to configure autofill only for exact URL matches, preventing it from working on subdomains. In Chromium-based browsers, the extension's use can be restricted with the "on click" access option, requiring the user to explicitly authorize each instance.
It's not all as immediate as clicking and losing everything. For the attack to succeed, the extension must be unlocked, the browser must not have restarted, and the user must interact at the precise moment. Furthermore, the analysis focused only on eleven extensions. There is no evidence that all solutions market segments may be vulnerable, although the expert warns that the pattern may be repeated in other types of extensions.
The weak point is in the SUNThe internal structure that websites use to organize buttons, forms, and menus is called the URL. Password managers insert their elements there, and if a malicious website manages to move, hide, or force them, the user may end up clicking on them without realizing it. This same risk extends to other extensions such as cryptocurrency wallets or note-taking applications.
Javier Márquez, Tech Editor | August 21, 2025
