Popular password manager plugins for web browsers have been found susceptible to clickjacking security vulnerabilities that could be exploited to steal account credentials, two-factor authentication (2FA) codes, and credit card details under certain conditions.
The technique has been dubbed Document Object Model (DOM)-based extension clickjacking by independent security researcher Marek Tóth, who presented the findings at the DEF CON 33 security conference earlier this month.
“A single click anywhere on an attacker-controlled website could allow attackers to steal users’ data (credit card details, personal data, login credentials, including TOTP),” Tóth said. “The new technique is general and can be applied to other types of extensions.”
Clickjacking, also called UI redressing, refers to a type of attack in which users are tricked into performing a series of actions on a website that appear ostensibly harmless, such as clicking on buttons, when, in reality, they are inadvertently carrying out the attacker’s bidding.
The new technique detailed by Tóth essentially involves using a malicious script to manipulate UI elements in a web page that browser extensions inject into the DOM — for example, auto-fill prompts, by making them invisible by setting their opacity to zero.
The research specifically focused on 11 popular password manager browser add-ons, ranging from 1Password to iCloud Passwords, all of which have been found to be susceptible to DOM-based extension clickjacking. Collectively, these extensions have millions of users.
To pull off the attack, all a bad actor has to do is create a fake site with an intrusive pop-up, such as a login screen or a cookie consent banner, while embedding an invisible login form such that clicking on the site to close the pop-up causes the credential information to be auto-filled by the password manager and exfiltrated to a remote server.
“All password managers filled credentials not only to the ‘main’ domain, but also to all subdomains,” Tóth explained. “An attacker could easily find XSS or other vulnerabilities and steal the user’s stored credentials with a single click (10 out of 11), including TOTP (9 out of 11). In some scenarios, passkey authentication could also be exploited (8 out of 11).”
Following responsible disclosure, six of the vendors have yet to release fixes for the defect –
- 1Password Password Manager 8.11.4.27
- Apple iCloud Passwords 3.1.25
- Bitwarden Password Manager 2025.7.0
- Enpass 6.11.6
- LastPass 4.146.3
- LogMeOnce 7.12.4
Software supply chain security firm Socket, which independently reviewed the research, said Bitwarden, Enpass, and iCloud Passwords are actively working on fixes, while 1Password and LastPass marked them as informative. It has also reached out to US-CERT to assign CVE identifiers for the identified issues.
Until fixes are available, it’s advised that users disable the auto-fill function in…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
