Ethical Hacking News
DOM-Based Extension Clickjacking Exposes Popular Password Managers to Credential and Data Theft: A Growing Concern for Online Security
Millions of users are exposed to credential and data theft due to a critical weakness in popular password manager plugins. A single click on an attacker-controlled website could potentially allow attackers to steal sensitive information, including credit card details and login credentials. The vulnerability, dubbed Document Object Model (DOM)-based extension clickjacking, affects 11 popular password manager browser add-ons. Attackers can exploit the vulnerability to exfiltrate user stored credentials with a single click. Two-factor authentication codes and passkey authentication can also be exploited in some scenarios. Users are advised to disable auto-fill functionality and only use copy/paste until fixes are implemented by affected vendors.
The latest vulnerability alert from a reputable cybersecurity research firm highlights a critical weakness in popular password manager plugins, leaving millions of users exposed to credential and data theft. According to the researcher, Marek Tóth, who presented his findings at the DEF CON 33 security conference earlier this month, a single click on an attacker-controlled website could potentially allow attackers to steal sensitive information, including credit card details, personal data, login credentials, and even two-factor authentication codes.
The vulnerability, dubbed Document Object Model (DOM)-based extension clickjacking, involves manipulating UI elements in web pages injected by browser extensions into the DOM. This can be achieved through the use of a malicious script that makes auto-fill prompts invisible by setting their opacity to zero. The research specifically focused on 11 popular password manager browser add-ons, including 1Password, iCloud Passwords, Bitwarden, Enpass, LastPass, and LogMeOnce, all of which have been found to be susceptible to this vulnerability.
The attack works by creating a fake site with an intrusive pop-up, such as a login screen or a cookie consent banner. When the user clicks on the site to close the pop-up, the credential information is automatically filled in by the password manager and exfiltrated to a remote server. The critical aspect of this vulnerability lies in the fact that all password managers fill credentials not only to the main domain but also to all subdomains.
This means that attackers can easily find cross-site scripting (XSS) or other vulnerabilities on these subdomains, allowing them to steal user stored credentials with a single click. Moreover, two-factor authentication codes and passkey authentication can also be exploited in some scenarios. The vulnerability affects six of the vendors listed, including 1Password Password Manager version 8.11.4.27, Apple iCloud Passwords version 3.1.25, Bitwarden Password Manager version 2025.7.0, Enpass version 6.11.6, LastPass version 4.146.3, and LogMeOnce version 7.12.4.
A software supply chain security firm that independently reviewed the research noted that Bitwarden, Enpass, and iCloud Passwords are actively working on fixes, while 1Password and LastPass marked them as informative. In the meantime, users are advised to disable the auto-fill function in their password managers and only use copy/paste.
For Chromium-based browser users, it is recommended to configure site access to "on click" in extension settings, which allows users to manually control auto-fill functionality. Experts emphasize that users must be vigilant when using online services and take proactive measures to protect themselves from such vulnerabilities.
The discovery of this vulnerability highlights the ongoing cat-and-mouse game between cybersecurity researchers and malicious actors. It serves as a reminder for organizations and individuals alike to prioritize their online security, adhere to best practices, and stay informed about emerging threats in the ever-evolving digital landscape.
Related Information:
https://www.ethicalhackingnews.com/articles/Clickjacking-Exploits-Weaknesses-in-Popular-Password-Manager-Plugins-Leaving-Millions-of-Users-Vulnerable-to-Data-Theft-ehn.shtml
https://thehackernews.com/2025/08/dom-based-extension-clickjacking.html
Published: Wed Aug 20 14:24:01 2025 by llama3.2 3B Q4_K_M
