- Multiple password administrators are supportable for a new attack
- The attack abuses opacity configuration and automatic focus capabilities
- You can steal passwords, 2fA codes and credit card details
In the recent Def Conference with 33, the independent researcher Marek Tóth presented a clickjacking attack that, according to him, could exploit the automatic approach capabilities of six of the largest password administrators.
The attack can steal passwords, 2fA codes and credit card details, so it is a serious concern for dozens of millions of password administrator users.
Toth tested the attack against 1Password versions, Bitwarden, ENPASS, ICLOUD, LastPass and Logmeonce passwords, and discovered that the browser -based variants could filter data stored in the right conditions.
The main password administrators at risk
The attack is based on the use of a website that uses opacity configurations, overlaps or a pointer council so that the automatic function of the web -based password manager seems invisible. Websites can be malicious sites or legitimate sites that have been compromised.
Then, the attacker uses an emerging or captcha window that deliberately places the user’s clicks in the hidden controls of the password administrator, faces the credentials in the form and stealing them.
What makes this attack vector even more worrying is that the attacker could use a universal attack script to identify the active password administrator in the web browser and adjust the attack to direct it specifically.
Other variations of the attack were demonstrated in DEF with 33, including several dom -based subtypes that abuse opacity in the element, the main element, the root and the level of overlap, as well as an attack that can trigger the automatic approach in any place where the cursor is placed.
Toth notified the companies in which he tested the attack vector in April 2025, also stating that public dissemination would be carried out in DEF with 33 in August. Cybersecurity researchers in Socket verified Toth’s methods and helped notify affected password administrators.
Several password administrators remain vulnerable to the attack, including these versions:
- 1Password 8.11.4.27
- Bitwarden 2025.7.0
- ENPASS 6.11.6 (Partial solution implemented in 6.11.4.2)
- Icloud passwords 3.1.25
- LastPass 4,146.3
- LOGMEONCE 7.12.4
The latest versions of Dashlane, Nordpass, Protonass, Roboform and Keeper have been repaired against the Tóth demonstrated attack vector. Lastpass and Logmeonce are currently working on corrections for the attack.
Several companies issued comments Bleepingcomputer After the publication article.
LastPass:
“We appreciate the work of security researchers, such as Marek Tóth, who help to raise awareness about possible threats and improve the safety of the entire industry. The vulnerability of clicking Marek discovered a broader challenge that all the password administrators faces: the appropriate balance between the user’s experience and the convenience, while addressing the models of threats of evolution.
Lastpass has implemented certain clickjacking safeguards, including an emerging notification that appears before automatically filling credit cards and personal details in all sites, and we are committed to exploring ways of protecting users even more while they continue to preserve the experience that our clients expect.
Meanwhile, our threat intelligence, mitigation and escalation team (time) encourages all password administrators users to remain attentive, avoid interacting with suspicious overlaps or emerging windows, and maintaining their last -step updated extensions. “
1Password:
“Clickjacking is not exclusive to the 1Password browser extension. It is a long -standing web attack technique that widely affects websites and browser extensions. Because the underlying problem is found in the way browsers render web pages, we believe that there is no comprehensive technical solution that browser extensions can deliver alone.
We take this safety concerns seriously, and our focus on this particular risk is to focus on giving customers more control. 1Password already requires confirmation before automatic payment information, and in our next version, we are expanding that protection so that users can choose to enable confirmation alerts for other data types. This helps users to stay informed when autofill occurs and in control of their data. ” – Jacob Sports, Ciso in 1Password.
