A comprehensive security research study has uncovered serious clickjacking vulnerabilities in six of the world’s most widely-used password managers, potentially exposing sensitive data of approximately 40 million users worldwide. These critical flaws enable cybercriminals to steal passwords, two-factor authentication codes, and confidential banking information through sophisticated overlay attacks.
Research Findings and Affected Password Managers
Independent security researcher Marek Toth first presented these findings at the DEF CON 33 hacker conference, with subsequent validation and coordination assistance from Socket security experts. The investigation revealed vulnerabilities in the browser versions of several major password management platforms:
The affected password managers include 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce. The collective user base of these compromised platforms represents a significant portion of the global password management market, making this discovery a critical cybersecurity concern.
Understanding Clickjacking Attack Mechanisms
The vulnerability exploits malicious web pages or sites compromised through XSS attacks and cache poisoning techniques. Cybercriminals deploy specially crafted scripts that create invisible HTML elements overlaying the password manager’s user interface, effectively tricking users into unintended interactions.
Victims believe they are engaging with legitimate page elements such as cookie banners, pop-up windows, or CAPTCHA verifications. However, they are actually activating hidden autofill controls that expose their confidential information to attackers without their knowledge or consent.
Advanced Exploitation Techniques
The research demonstrated multiple sophisticated attack vectors that highlight the complexity of these vulnerabilities:
Attackers can manipulate DOM element transparency directly, alter root and parent element opacity, implement partial or complete interface overlays, and deploy dynamic UI elements that follow the victim’s mouse cursor. Most concerning is the malicious script’s ability to automatically detect the active password manager in the victim’s browser and adapt the attack strategy in real-time.
Vendor Response and Patch Status
Despite notification of all affected vendors in April 2025, the industry response has been inconsistent. 1Password classified the report as “informational,” suggesting that clickjacking protection should be the user’s responsibility rather than addressing the underlying vulnerability.
LastPass initially dismissed the findings but later implemented popup notifications before autofilling banking credentials. Bitwarden acknowledged the security issue and released fixes in version 2025.8.0, demonstrating a more proactive approach to user security.
Successful Security Updates
Several password manager providers responded promptly with effective security patches. Dashlane released version 6.2531.1 on August 1st, while NordPass, ProtonPass, and RoboForm have all implemented comprehensive fixes. Keeper Security addressed the vulnerabilities in version 17.2.0, released in July.
Essential Protection Strategies
Security experts strongly recommend that users disable autofill functionality in their password managers and rely exclusively on manual copy-paste operations for sensitive data entry. This approach significantly reduces exposure to clickjacking attacks while maintaining password management benefits.
Regular updates of browser extensions remain crucial for maintaining optimal security posture. Users should enable automatic updates where possible and regularly verify they are running the latest versions of their password management tools.
This research underscores the critical importance of proactive security measures from both developers and end-users. The discovery and remediation of such vulnerabilities represents an ongoing challenge in maintaining robust cybersecurity defenses against increasingly sophisticated digital threats. Organizations and individuals must remain vigilant and responsive to emerging security risks in the rapidly evolving threat landscape.
