Password managers are often hailed as one of the most crucial tools for cybersecurity, helping users manage unique and complex logins across the web. But new research has revealed that even these trusted tools are not immune to exploitation.
At Defcon 33, Czech security researcher Marek Tóth demonstrated how a clickjacking attack can be used to trick browser extensions of popular password managers into leaking sensitive data, including usernames, passwords, credit card details, and even one-time passcodes.
How The Attack Works
Clickjacking relies on deception: attackers overlay invisible or nearly transparent elements on top of legitimate buttons or forms, so that when users believe they’re clicking a harmless CAPTCHA or cookie banner, they are in fact interacting with hidden malicious code.
Tóth’s demo showed that password managers with auto-fill enabled can be tricked into invisibly filling out forms controlled by attackers. The stealthy design makes the autofill window invisible to the victim, leaving no clue that their private information has just been harvested.
While this isn’t a flaw unique to password managers—clickjacking is a broader web-based attack—the Document Object Model (DOM)-based method demonstrated is a new way to target browser extensions specifically.
Which Password Managers Are Vulnerable?
Tóth tested multiple services, including 1Password, Bitwarden, Dashlane, Enpass, iCloud Passwords, Keeper, LastPass, NordPass, ProtonPass, RoboForm, and others.
Results showed that in many cases, non-domain-specific data such as names, addresses, or payment card details could be stolen through maliciously designed websites. In more advanced attacks involving cross-site scripting or subdomain takeovers, even full credentials and two-factor data could be exposed.
The good news is that patches are already rolling out.
- Patched/updated: Dashlane, Keeper, NordPass, ProtonPass, RoboForm, LastPass, Bitwarden (2025.8.0), and Enpass.
- Pending fixes: iCloud Passwords and some smaller services.
What Users Can Do To Stay Safe
Until fixes are fully deployed, users can take precautions:
- Update your extensions immediately – enable auto-updates where possible.
- Disable autofill in browser extensions; instead, manually enter credentials or copy/paste with caution.
- Enable “Exact URL Match” settings to prevent credentials from leaking across subdomains.
- In Chromium browsers, set extensions to activate “On click” instead of on all websites.
- Stay alert to suspicious overlays, CAPTCHAs, and pop-ups.
A Delicate Trade-Off
Cybersecurity experts note that while disabling autofill reduces the risk of clickjacking, copying and pasting passwords carries its own dangers—such as keyloggers capturing keystrokes or clipboard data. Providers like 1Password and LastPass have responded by adding pop-up confirmations before autofill, striking a balance between security and usability.
The Bigger Picture
This discovery underscores a simple truth: no tool is 100% safe. Password managers remain one of the strongest defenses against weak or reused passwords; however, users should remember that they’re not invincible. Vigilance, updates, and smart settings are crucial to maintaining security.
As Tóth highlighted, the safest, but least convenient, solution would be for extensions to always require a visible confirmation window before autofilling. Until then, awareness and updated software remain the best protection.
