LastPass, 1Password, and Bitwarden extensions have vulnerabilities to clickjacking attacks

Password manager extensions face threats from unpatched clickjacking issues, risking sensitive data for 40M users.

: Marek Tóth's research unveiled that six leading password managers, including LastPass and 1Password, are susceptible to sophisticated clickjacking attacks, endangering millions of users. Vulnerabilities were found in the latest versions as of August 2025, allowing potential data theft such as login credentials and credit card information. Despite notifying companies in April 2025, some vendors like Bitwarden promptly released fixes, while others like LastPass initially dismissed the vulnerabilities as 'informative.' Users have been advised to disable autofill and cautiously interact with suspicious web elements to mitigate these risks.

Marek Tóth, a security researcher, disclosed vulnerabilities in browser extensions of six password managers, namely 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce, at DEF CON 33. These weaknesses, present in the latest versions tested as of August 19, 2025, could facilitate clickjacking attacks, which deceive users into clicking hidden elements, potentially exposing sensitive information like login credentials.

Clickjacking involves invisibly overlaying malicious buttons or forms over legitimate website content, prompting users to unknowingly engage with unauthorized elements. Tóth extended conventional clickjacking techniques to compromise browser extensions using CSS properties like 'opacity' and 'z-index' to obscure or overlay password manager interfaces.

Despite notifying affected companies in April 2025, Tóth noted varied responses, with Bitwarden promptly releasing a fix in version 2025.8.0, now being rolled out across browsers. Conversely, 1Password and LastPass initially categorized the reported matters as informative, indicating these audits are sometimes beyond the immediate scope of rapid resolutions.

Out of 11 products tested, each password manager exhibited at least one vulnerability. Marek Tóth's research exposed the gravity of such flaws, pushing cybersecurity firm Socket to work with vendors in assigning Common Vulnerabilities and Exposures IDs. Tóth shared proof-of-concept demos displaying successful exploitation scenarios against multiple platforms.

Industry peers like Dashlane, NordPass, and Proton Pass responded quickly with patches, unlike some affected platforms serving 40 million users. Until comprehensive vendor updates are certified, users are advised to disable autofill in extensions and adopt cautious web browsing practices to protect sensitive data from these seepages.

Sources: TechSpot, DEF CON, Bleeping Computer

CybersecuritySoftwareSecurity