Uncovered 0-Day Clickjacking Weaknesses in Prominent Password Managers such as 1Password, LastPass, and Others

Uncovered 0-Day Clickjacking Weaknesses in Prominent Password Managers such as 1Password, LastPass, and Others

In a groundbreaking research by Marek Tóth, eleven major password managers have been found to be vulnerable to zero-day clickjacking attacks. These attacks, known as DOM-based Extension Clickjacking, exploit the injection of user interface elements into webpage DOM structures by password manager extensions.

The attack works by creating malicious scripts that hide extension UI elements using JavaScript manipulation, particularly through opacity adjustments and DOM overlay techniques. Attackers can then trick users into clicking on hidden or transparent UI elements, leading to the exfiltration of sensitive data such as credentials, two-factor authentication codes, credit card details, and personal information.

Following responsible disclosure in April 2025, Dashlane, Keeper, NordPass, ProtonPass, and RoboForm have successfully patched their extensions against the described attack methods. However, iCloud Passwords, Enpass, and LogMeOnce remain vulnerable, potentially affecting approximately 32.7 million active installations.

To protect themselves, users can take several key protective measures:

1. Disabling Autofill: Turn off the autofill functionality in password manager browser extensions until patches or updates are available. Autofill is the attack vector exploited by clickjacking.
2. Avoid Clicking on Unknown or Suspicious Sites: Since the attack depends on malicious or attacker-controlled websites to trick users into clicking, avoid interacting with unfamiliar webpages or embedded content whose trustworthiness cannot be verified.
3. Keep Extensions Updated: Monitor for official security patches from password manager vendors and update extensions regularly once fixes are released to mitigate these vulnerabilities.
4. Use Alternative Authentication When Possible: Where feasible, manually enter credentials or use hardware authenticators instead of relying solely on autofill for sensitive sites during the vulnerability window.

For Chromium-based browsers, security experts recommend configuring extension site access to "on click" rather than automatic access, giving users manual control over autofill functionality. This measure can provide an additional layer of protection against these attacks.

The discovery of these vulnerabilities underscores the evolving nature of web security threats and the need for continuous security research in browser extension ecosystems. Ensuring the resilience of password managers against sophisticated client-side attacks is crucial for protecting millions of users' sensitive data, as they become increasingly central to digital security practices.

[1] Tóth, Marek. (2025). DOM-based Extension Clickjacking: A New Threat to Password Managers. [Link]

[2] Krebs, Brian. (2025). Zero-Day Clickjacking Vulnerabilities Found in Popular Password Managers. [Link]

[3] ZDNet. (2025). Research reveals clickjacking vulnerabilities in popular password managers. [Link]

[4] Wired. (2025). New Clickjacking Attack Targets Password Managers. [Link]

[5] Ars Technica. (2025). Researcher finds clickjacking vulnerabilities in password managers. [Link]

Read also:

• Developing Apps in the Future: Key Insights for You
• Progress in Assistance: A Leap in User Aid
• Unveiling Digital Miscreants: The Identities of Cyber Criminals Targeting Russian Businesses and Strategies to Escape their Digital Traps
• Inquiring Gamers: What deceptive gaming practices are becoming increasingly prevalent?