Six popular password managers serving tens of millions of users remain vulnerable to unpatched clickjacking flaws that could allow cybercriminals to steal login credentials, two-factor authentication codes, and credit card information.
Modus operandi
Security researcher Marek Tóth, who presented these findings at DEF CON 33, demonstrated how attackers exploit these vulnerabilities by running malicious scripts on compromised websites.
The attack works by using opacity settings and overlays to hide password manager autofill dropdown menus while displaying fake elements like cookie banners or CAPTCHA prompts. When users click on these decoy elements, they unknowingly trigger autofill actions that expose sensitive data.
Tóth developed multiple exploitation variants, including DOM element manipulation techniques and a method where the user interface follows the mouse cursor, making any click trigger data autofill. The researcher created a universal attack script that can identify which password manager a target is using and adapt the attack in real-time.
Impacted password managers
The vulnerable password managers include:
- 1Password 8.11.4.27
- Bitwarden 2025.7.0
- Enpass 6.11.6
- iCloud Passwords 3.1.25
- LastPass 4.146.3
- LogMeOnce 7.12.4
These services collectively have approximately 40 million users.
Vendor responses
Vendor responses have been mixed. 1Password dismissed the report as "out-of-scope/informative," arguing that clickjacking is a general web risk users should mitigate themselves. Similarly, LastPass initially marked the report as "informative" before later acknowledging they're working on fixes.
Bitwarden downplayed the severity but claims to have addressed the issues in version 2025.8.0. However, LogMeOnce initially failed to respond to any communication attempts, though they later released an update.
Several vendors have successfully implemented fixes, including Dashlane, NordPass, ProtonPass, RoboForm, and Keeper.
Safety measures
Until patches are available, Tóth recommends that users disable autofill functionality in their password managers and rely on manual copy-paste operations instead. This significantly reduces the attack surface while maintaining password manager security benefits.
The research highlights ongoing challenges in balancing user convenience with security in password management tools, particularly regarding browser extension vulnerabilities.