Ethical Hacking News
Major password managers 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce are vulnerable to clickjacking attacks that could expose user sensitive data. Users should disable autofill and use copy/paste instead until the affected vendors release patches.
Six major password managers (1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce) are vulnerable to clickjacking attacks. The vulnerability lies in the way these password managers handle user interactions with their interfaces. Clickjacking can trick users into divulging sensitive information such as login credentials and credit card details. The affected password managers have tens of millions of users between them. Users should disable autofill function in their password managers and use copy/paste instead to prevent attackers from gaining access to sensitive data.
In a shocking revelation, recent research has exposed six major password managers to be vulnerable to clickjacking attacks. The implications of this discovery are far-reaching, and users should take immediate action to protect their sensitive information.
The vulnerability in question lies in the way these password managers handle user interactions with their interfaces. Clickjacking, a type of attack where an attacker overlays a malicious element on top of a legitimate one, can trick users into divulging sensitive information such as login credentials, 2-factor authentication codes, and credit card details. The attackers exploit this vulnerability by running scripts on malicious websites or using compromised websites to overlay fake intrusive elements over the password manager's autofill dropdown menu.
The affected password managers include 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce, with the former five having tens of millions of users between them. The researchers who identified this vulnerability, Marek Tóth, demonstrated multiple DOM-based subtypes that constitute exploitation variants of the same flaw, including direct DOM element opacity manipulation, root element opacity manipulation, parent element opacity manipulation, and partial or full overlaying.
To exploit this vulnerability, attackers can use a script that identifies the active password manager on the target's browser and then adapts the attack in real-time. This means that even if users update their password managers to the latest versions, they are still at risk of falling victim to these attacks.
The vendors affected by this vulnerability were notified in April 2025, but some have been slow to respond. LastPass marked the report as "informative," while Bitwarden acknowledged the issues but downplayed their severity. However, it is worth noting that Bitwarden has since released a patch for version 2025.8.0, which fixes the vulnerability.
On the other hand, LogMeOnce did not respond to any communication attempts, leaving its users exposed to these attacks. Other affected password managers, such as 1Password and LastPass, have not yet confirmed whether they plan to address this problem.
In light of this discovery, it is essential for users to take precautions to protect their sensitive information. Marek Tóth recommends that users disable the autofill function in their password managers and only use copy/paste instead. This can help prevent attackers from gaining access to sensitive data.
The situation highlights the ongoing cat-and-mouse game between cybersecurity experts and malicious actors. As security measures evolve, so too do the tactics of those seeking to exploit vulnerabilities for nefarious purposes.
In conclusion, this vulnerability in major password managers serves as a stark reminder of the importance of staying vigilant and proactive when it comes to online security. Users must be aware of these risks and take steps to protect themselves from falling victim to clickjacking attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Major-Password-Managers-Vulnerable-to-Clickjacking-Attacks-A-Threat-to-User-Security-ehn.shtml
Published: Wed Aug 20 10:32:07 2025 by llama3.2 3B Q4_K_M
