Many password managers have been found to be vulnerable to a specific form of attack. The technique that hackers are using is called Clickjacking.
What is Clickjacking?
Clickjacking is a method in which an attacker crafts a malicious web page that contains invisible iframes and hides it right within a target website. When users click on things on the page, these clicks get intercepted by the hidden iframe, and do something else, e.g. different actions on the website. This isn't a new method at all.
For example, a web page may display a cookie consent prompt, asking the user to either click on the Reject or Accept buttons. However, the iframe element could contain a login form that trigger's a password manager browser extension to autofill the credentials. This could result in the attacker obtaining the username and password from the user.
Users won't have any idea that things have gone wrong, but this vulnerability could allow attackers to steal credit card details, personal data, login credentials including TOTP, etc.
Marek Tóth, a security researcher from the Czech Republic, discovered a series of unpatched security loopholes that hackers could exploit to run browser extension clickjacking attacks which are iframe-based and DOM-based. Websites that are vulnerable could be prone to XSS, subdomain takeover, web cache poisoning, etc. could result in theft of credentials, 2FA codes, and even passkeys.
Data Impact
- Credit Card - credit card number, expiration date, security code
- Personal Data - name, email, phone, address, date of birth (some password managers)
- Login credentials - username, password, TOTP (2FA)
- Passkeys - signed assertion hijacking (authentication flow hijacking) = creating a new session
The issue affected several password manager services including
- 1Password
- Bitwarden
- Dashlane
- Enpass
- iCloud Passwords
- Keeper
- LastPass
- LogMeOnce
- NordPass
- ProtonPass
- RoboForm
Despite the disclosure from Tóth and proof of concepts that are available publicly, password manager services are taking their own sweet time to fix the vulnerabilities. 1Password and LastPass reportedly marked the report as informative, but haven't fixed the exploits. Even Bitwarden reportedly took 4 months to patch them.
Dashlane, Keeper, Nordpass, Protonpass and Roboform have fixed the issues. Cybersecurity company, Socket, reports that Bitwarden has shipped a fix for the clickjacking vulnerability in its version 2025.8.0 release (dated August 20). However, it may take a day or two for the update to be available in browser add-on stores.
Users are advised to disable manual autofill in their password manager extensions In addition to this, you can set it to use only exact URL match for autofill, but it is worth noting this can still result in credit card data and personal data to be exploited. Chromium-based browsers can change the Extension settings > site access > "on click". Update your password manager and its browser extension to the latest version for protecting your data and credentials.
Here is a thread on Bitwarden's community forums that discusses the issues associated with clickjacking. Bitwarden recommends using alternative methods for autofill such as using the keyboard shortcut, the browser extension, or the right-click menu, or drag-and-fill.
On a sidenote, many Bitwarden users are reporting repeated unauthorized access attempts into their account. There is no evidence to suggest this is related to the clickjacking. The more likely explanation is that the hackers got their hands on some leaked email and passwords, and are trying to brute force their way into things, including Bitwarden. There are also reports that 2FA was bypass on some accounts, I wonder if it has anything to the Authy breach over the past year.
As always, here is my recommendation for what I consider the most-secure password manager. Take a look at KeePass, it is a free, open source, offline password manager that is available for Windows. It has plenty of forks for other operating systems. I can vouch for KeePassXC on Linux and macOS, KeePassium on iOS/iPadOS/macOS, and Keepass2Android Password Safe on Android. Even if you prefer a cloud-based password manager, I strongly recommend exporting a copy of your credentials into KeePass, it can be handy when your cloud app is offline, or in case you want to delete the cloud account.
Thank you for being a Ghacks reader. The post Zero-day Clickjacking exploit impacts several password managers appeared first on gHacks Technology News.
0 Commentaires