Full Report
Six major password managers with tens of millions of users are currently vulnerable to unpatched clickjacking flaws that could allow attackers to steal account credentials, 2FA codes, and credit card details. [...]
Analysis Summary
# Vulnerability: Password Managers Susceptible to Credential Leakage via Clickjacking Attacks
## CVE Details
- CVE ID: Not assigned in provided text.
- CVSS Score: Not rated in provided text. Vendor perspectives suggest varying severity, with some dismissing the issue.
- CWE: Likely related to Cross-Site Request Forgery (CSRF) or UI Redressing (CWE-301 / CWE-200).
## Affected Systems
- Products: 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, LogMeOnce.
- Versions:
- 1Password: 8.11.4.27
- Bitwarden: 2025.7.0 (and earlier)
- Enpass: 6.11.6 (Partial fix in 6.11.4.2)
- iCloud Passwords: 3.1.25
- LastPass: 4.146.3
- LogMeOnce: 7.12.4
- Configurations: Affects password managers employing standard web-based autofill features that are susceptible to UI redressing/clickjacking techniques executed in the user's browser.
## Vulnerability Description
A security researcher demonstrated that multiple popular password managers are vulnerable to clickjacking attacks that can lead to the leakage of stored login credentials. The core vulnerability lies in the password manager's handling of UI elements and autofill functionality when manipulated by a cloaked malicious iframe or overlay (a classic clickjacking technique). An attacker can deceive the user into unknowingly triggering the password manager to submit credentials to an attacker-controlled site using real-time adaptation of the attack tailored to the victim's specific browser environment.
## Exploitation
- Status: PoC available (demonstrated by the researcher).
- Complexity: Implied to be manageable enough to warrant a public disclosure timeline (DEF CON 33) and successful testing against 11 major products.
- Attack Vector: Network (requires the user to visit a malicious website).
## Impact
- Confidentiality: High (Direct exposure of stored credentials).
- Integrity: Low/Medium (Depending on if the credentials are used for subsequent actions).
- Availability: Low.
## Remediation
### Patches
Vendor responses and patching status vary:
* **Fixed:** Dashlane (v6.2531.1 released on August 1), NordPass, ProtonPass, RoboForm, Keeper (v17.2.0 released in July).
* **Fixed:** Bitwarden (Version 2025.8.0, released pending full rollout).
* **Not confirmed fixed (as of summary):** 1Password, LastPass, Enpass, LogMeOnce, iCloud Passwords.
### Workarounds
* Disable the autofill function within the affected password manager.
* Use the manual copy/paste method only for entering credentials until official fixes are applied.
## Detection
- Detection methods are not explicitly detailed, but general detection would involve monitoring for unexpected credential submissions originating from seemingly benign or unrelated websites, potentially signaled by unusual network traffic related to the password manager extension/application communication endpoints.
## References
- Vendor advisories: Specific vendor advisories are not linked, but fixes were coordinated through Socket, with disclosure planned for DEF CON 33.
- Relevant links - defanged:
- General vulnerability discussion: bleepingcomputer com/news/security/major-password-managers-can-leak-logins-in-clickjacking-attacks/