Understanding Clickjacking Threats to Password Managers

Understanding Clickjacking Threats to Password Managers

Alex Cipher's Profile Pictire Alex Cipher 4 min read

Clickjacking attacks pose a growing challenge to the security of password managers, which many people depend on to protect their digital identities. These attacks trick users into clicking on hidden or disguised elements, leading to unauthorized actions or data leaks. In the context of password managers, clickjacking can inadvertently expose sensitive information like login credentials and two-factor authentication codes. Attackers often achieve this by overlaying invisible HTML elements over the password manager interface, exploiting vulnerabilities such as cross-site scripting (XSS), which allows attackers to inject malicious scripts into web pages, or cache poisoning, where attackers manipulate cached data to serve malicious content (BleepingComputer).

Understanding Clickjacking Vulnerabilities in Password Managers

Clickjacking Mechanics and Exploitation Techniques

Clickjacking is a clever attack method where users are deceived into clicking on something different from what they see, potentially leading to unauthorized actions or data exposure. In password managers, this involves overlaying invisible HTML elements over the interface. This can happen when users visit malicious websites or sites vulnerable to attacks like XSS or cache poisoning. Attackers manipulate the transparency of elements to make the password manager’s autofill dropdown menu invisible, causing users to unknowingly trigger autofill actions that leak sensitive information such as account credentials, 2FA codes, and credit card details (BleepingComputer).

Variants of Clickjacking Attacks

Researcher Marek Tóth identified several DOM-based subtypes of clickjacking, each exploiting different parts of the Document Object Model (DOM) to achieve malicious outcomes. These include:

  • Direct DOM Element Opacity Manipulation: Directly changing the opacity of specific DOM elements to make them invisible.
  • Root Element Opacity Manipulation: Adjusting the opacity of the root element, affecting all child elements.
  • Parent Element Opacity Manipulation: Manipulating the opacity of a parent element, hiding its child elements.
  • Partial or Full Overlaying: Overlaying elements partially or fully over the password manager interface, tricking users into clicking on hidden elements.

Additionally, a method was demonstrated where the user interface follows the mouse cursor, ensuring that any user click, regardless of its position, triggers data autofill (BleepingComputer).

Universal Attack Scripts and Real-Time Adaptation

A key aspect of these clickjacking vulnerabilities is the use of universal attack scripts. These scripts can detect the active password manager on a target’s browser and adapt the attack in real-time. This adaptability increases the attack’s effectiveness, as it can tailor the exploit to the specific password manager being used. The script’s ability to dynamically adjust its approach based on the detected password manager highlights the sophistication and potential widespread impact of these vulnerabilities (BleepingComputer).

Vendor Responses and Mitigation Efforts

Upon discovering these vulnerabilities, researcher Marek Tóth, with the help of cybersecurity company Socket, notified the affected vendors in April 2025, with public disclosure planned for August at DEF CON 33. The responses from vendors varied:

  • 1Password: Rejected the report, categorizing it as “out-of-scope/informative,” suggesting that clickjacking is a general web risk users should mitigate.
  • LastPass: Marked the report as “informative,” without indicating plans for immediate remediation.
  • Bitwarden: Acknowledged the issues but downplayed their severity, although they have since fixed the issues in version 2025.8.0.
  • LogMeOnce: Did not respond to any communication attempts.

Other vendors, such as Dashlane, NordPass, ProtonPass, RoboForm, and Keeper, have implemented fixes, with Dashlane releasing version 6.2531.1 on August 1, and Keeper releasing version 17.2.0 in July (BleepingComputer).

Current Vulnerability Status and Recommendations

As of August 20, 2025, several password managers remain vulnerable to clickjacking attacks. The affected versions include:

  • 1Password: Version 8.11.4.27
  • Bitwarden: Version 2025.7.0
  • Enpass: Version 6.11.6 (partial fix implemented in 6.11.4.2)
  • iCloud Passwords: Version 3.1.25
  • LastPass: Version 4.146.3
  • LogMeOnce: Version 7.12.4

To reduce the risk of exploitation, users are advised to disable the autofill function in their password managers and instead use copy/paste for entering sensitive information. This precaution can help prevent unauthorized data exposure until vendors release comprehensive fixes (BleepingComputer).

In summary, the clickjacking vulnerabilities in major password managers highlight the need for continuous vigilance and proactive security measures. Users must stay informed about potential risks and apply recommended security practices to safeguard their sensitive information.

Final Thoughts

The vulnerabilities exposed by clickjacking attacks on password managers underscore the critical need for ongoing vigilance and proactive security measures. While some vendors have responded with fixes, others have been slower to act, leaving users at risk. It is essential for users to stay informed and adopt recommended security practices, such as disabling autofill features, to protect their sensitive information. As the landscape of cybersecurity continues to evolve, both users and developers must remain alert to emerging threats and work collaboratively to enhance security protocols (BleepingComputer).

References

Related Articles