Popular Password Managers Vulnerable to Clickjacking Login Leaks

Six widely used password managers with tens of millions of combined users remain susceptible to unpatched clickjacking vulnerabilities, potentially exposing account credentials, two-factor authentication codes, and credit card information. These security gaps can be exploited when users visit malicious or compromised websites, where attackers deploy invisible overlays to trick victims into unintentionally triggering autofill actions.

Independent researcher Marek Tóth revealed these flaws at the recent DEF CON 33 conference. Cybersecurity firm Socket later confirmed the findings and assisted in notifying affected vendors while coordinating public disclosure. The investigation targeted browser-based versions of 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce, all of which were found to leak sensitive data under specific conditions.

Attackers execute these exploits by running scripts on harmful or vulnerable sites, using opacity settings or pointer-event manipulations to conceal the autofill dropdown menu of a password manager. Fake elements like cookie banners or CAPTCHA prompts are then overlaid, so user clicks interact with hidden password manager controls, completing forms with private data without the user’s awareness.

Tóth demonstrated several DOM-based attack subtypes, including direct and parent element opacity manipulation, along with full or partial overlays. One method even involved a user interface that follows the mouse cursor, ensuring any click triggers autofill regardless of its position. A universal script can identify which password manager is active in the user’s browser and adapt the attack dynamically.

All eleven password managers tested were vulnerable to at least one attack method. Vendors were initially notified in April 2025, with public disclosure scheduled for August. Socket recently reached out again to inform companies that CVEs would be filed for their products.

Responses from vendors varied significantly. 1Password dismissed the report as “out-of-scope/informative,” arguing that clickjacking represents a general web risk rather than a specific flaw in their software. LastPass also labeled it “informative,” while Bitwarden acknowledged the issue but downplayed its severity, noting that a fix was included in version 2025.8.0, released this week. LogMeOnce did not respond to any communication attempts.

The following versions remain vulnerable:

• 1Password 8.11.4.27
• Bitwarden 2025.7.0
• Enpass 6.11.6 (partial fix in 6.11.4.2)
• iCloud Passwords 3.1.25
• LastPass 4.146.3
• LogMeOnce 7.12.4

In contrast, Dashlane, NordPass, ProtonPass, RoboForm, and Keeper have already implemented fixes. Users are advised to verify they are running the latest versions of these applications.

Until patches are widely available, Tóth recommends disabling autofill features entirely and relying on manual copy-and-paste for filling credentials.

Following publication, LastPass and LogMeOnce contacted BleepingComputer to confirm they are working on resolutions. LastPass emphasized their existing safeguards, such as pop-up notifications before autofilling payment details, and encouraged users to stay vigilant and keep software updated.

1Password reiterated that clickjacking is a broad browser-level issue without a complete technical fix from extensions alone. They highlighted upcoming features that will allow users to enable confirmation prompts for autofill actions, providing greater control over data sharing.

Users of affected password managers should exercise caution online, avoid interacting with suspicious overlays, and ensure their software is updated as soon as patches become available.

(Source: Bleeping Computer)