Full Report
A cybersecurity researcher has disclosed zero-day clickjacking vulnerabilities affecting eleven major password managers, potentially exposing tens of millions of users to credential theft through a single malicious click. The research, conducted by security expert Marek Tóth, reveals that attackers can exploit these vulnerabilities to steal credit card details, personal information, login credentials, and even two-factor […] The post 0-Day Clickjacking Vulnerabilities Found in Major Password Managers like 1Password, LastPass and Others appeared first on Cyber Security News.
Analysis Summary
# Vulnerability: DOM-based Extension Clickjacking in Major Password Managers
## CVE Details
- CVE ID: Not explicitly detailed in the text provided (Reported as 0-Day, disclosure implies potential future CVEs).
- CVSS Score: Not specified.
- CWE: Likely related to improper input validation/sanitization leading to DOM manipulation (e.g., CWE-79: Cross-site Scripting, though this is an extension-specific attack vector).
## Affected Systems
- Products: 1Password, Bitwarden, LastPass, Dashlane, Keeper, NordPass, ProtonPass, RoboForm, iCloud Passwords, Enpass, LogMeOnce.
- Versions: Unspecified, but affects installations prior to vendor patches.
- Configurations: Browser extensions (Chrome, Firefox, Edge).
## Vulnerability Description
The vulnerability is a "DOM-based Extension Clickjacking" attack. Attackers can leverage malicious scripts on compromised websites to manipulate the Document Object Model (DOM) structures inserted by browser extension UIs (like those from password managers). By making these injected UI elements invisible while keeping them clickable (often via JavaScript opacity adjustments or DOM overlay techniques), an attacker can trick the user into clicking a hidden element. A single click can trigger the automatic exfiltration of sensitive data stored by the extension, such as login credentials, credit card details, personal information, and even TOTP codes.
## Exploitation
- Status: Disclosed/Reported (0-Day), but the article implies widespread active installations remain vulnerable as of August 2025. Not explicitly stated as "exploited in the wild" in this summary context, but the potential is high.
- Complexity: Medium (Requires complex DOM manipulation specific to how extensions inject UI elements).
- Attack Vector: Network (User must visit a compromised website).
## Impact
- Confidentiality: High (Theft of credentials, PII, credit card data, and 2FA codes).
- Integrity: Medium (Potential for unauthorized access/use of stolen information).
- Availability: Low (Primary impact is data loss/theft, not service disruption).
## Remediation
### Patches
Vendors that have successfully patched:
- Dashlane
- Keeper
- NordPass
- ProtonPass
- RoboForm
Vendors listed as still vulnerable as of August 2025 (requiring immediate attention/updates):
- 1Password
- Bitwarden
- LastPass
- iCloud Passwords
- Enpass
- LogMeOnce
### Workarounds
No specific workarounds are listed, but standard advice for this type of extension vulnerability would include:
1. Disabling or uninstalling the affected extensions temporarily.
2. Restricting extension permissions if possible.
3. Being extremely cautious about browsing behavior on untrusted websites until updates are applied.
## Detection
- Indicators of Compromise: Sudden unintended autofilling of forms by the password manager, unexpected data submission from the browser, or unauthorized account access following a trivial click on a website.
- Detection Methods and Tools: Monitoring browser extension network traffic for unusual POST requests or data exfiltration originating from the extension process.
## References
- Vendor advisories (Not linked directly, but vendors are named)
- Relevant links - defanged:
- Researcher's blog detailing the research: hxxps://marektoth.com/blog/dom-based-extension-clickjacking/