Zero-Day Clickjacking Vulnerabilities in Major Password Managers

Hey y’all :waving_hand:

First post on Privacy Guides. And not a small one.

(If you saw my first attempt, I may have triggered the spam filter by mistake - mods, you can delete my first hidden thread)

Long story short: if you’re using a password manager with a browser extension, your data might (have) be(en) at risk.

A security vulnerability has been discovered in many popular password managers, including 1Password, Bitwarden, Dashlane, EnPass, iCloud Passwords, Keeper, LastPass, LogMeOnce, NordPass, Proton Pass and Roboform.

If you’re using Dashlane, Keeper, NordPass, Proton Pass or Roboform, make sure to be on the latest version available. They have already release updates of their apps and extensions to fix the issue.

If you’re using Bitwarden, an update (2025.8.0) is coming later this week.

If you’re using iCloud Passwords or EnPass, both have been partially fixed but are still vulnerable today. iCloud Passwords received a better fix than EnPass.

Finally, and that is the annoying news of the day: if you’re using 1Password, LastPass or LogMeOnce, you are definitely at risk. The third one simply didn’t answer the security researcher emails. And both 1Password & Last Pass have purely and simply decided to not do anything about it. More about that down below.

For now, there are three things that you can do right away to mitigate the risks:

  • Deactivate the autofill in your extension settings

  • Make sure that the setting making sure that only an exact URL match will allow autofill credentials (Watchout tho as this won’t work for your credit cards and personal data.)

  • For Chrome and Chromium-based browsers, change your extension settings by right clicking on the extension → Manage Extension → Site Access → On click

What this will do is to make sure that your extension is only active if you click beforehand on its icon. Which leads me to the other main important point of this security vulnerability: you are at risk only when your vault is unlocked. If your vault is password/biometric locked and you end up on a compromise website, you will be safe. If your vault is unlocked, you won’t be safe.

Going back to 1Password and LastPass… What is their reason not to implement a fix for this?

For them, this is just another case of clickjacking. A form of hacking that they do consider out of their security scope. To quote from the 1Password website:

Techniques like clickjacking or deceptive overlays can be used to trick users into interacting with interface elements, including autofill prompts, in ways that may expose sensitive information.

Your information in 1Password is always encrypted and protected. Clickjacking does not expose all your 1Password data or export all your vault contents, and no website can directly access your information without interaction with the browser extension’s autofill element. At most, a malicious or compromised webpage could trick you into autofilling a single matching item following a click, not everything in your account.

For maximum safety, consider locking the 1Password browser extension when browsing unfamiliar or risky sites so autofill requires explicit intent.

The thing is that this vulnerability, relying on clickjacking (but not only), has been fixed by many other password managers like Proton, NordPass, Dashlane, etc.

This means that this specific issue is fixable. And both 1Password and LastPass have concluded that it was not critical enough to fix. I’ll let you be the judge on this, but as a long time 1Password customer, I feel betrayed and outraged by how they are dealing with this.

To quote them again, from the first article I came across spotlighting the breach discovery:

Security and usability are a balance, one that we are always making tradeoffs back and forth to find the right solution. Sometimes there is no perfect solution, only the solution that works best for the most users. As I mentioned previously, it is only with user feedback that we chose to remove the prompt for the PII items that would prevent clickjacking from occurring. A change that we’ve documented in the support article under the "Identity alerts” section.

Meaning that what works best for their users is (in an oversimplified way) to make sure that they won’t have to deal with an alert message in this case. Alas, the only kind of item that is deemed to still be “safe” in 1Password (credit cards) do involve an alert message that isn’t even correctly labeled.

To end with the conclusion quote of the researcher (and assuming it does fit your threat model):

2FA should be strictly separated from login credentials - when storing everything in one place, so the attacker could exploit vulnerable password managers and gain access to the account even with 2FA enabled.

tl;dr:

Clickjacking is not dead - browser extensions are vulnerable to clickjacking
→ iframe-based and especially to the DOM-based

Malicious script can be on any trusted website (XSS, subdomain takeover, web cache poisoning…).
XSS is not RCE, attackers can find (easily) this vulnerability.
:warning: 1 click = attacker gets your credentials incl. TOTP (only for vulnerable domain)

No vulnerability is needed to leak your credit card, personal data
:warning: 1 click = credit cards details or personal data (attacker’s website)
:warning: 2 clicks = credit cards details + personal data (attacker’s website)

Fixed: NordPass, ProtonPass, RoboForm, Dashlane, Keeper
Still vulnerable: Bitwarden, 1Password, iCloud Passwords, Enpass, LastPass, LogMeOnce

Research on only 11 password managers
others DOM-manipulating extensions will be vulnerable (password managers, crypto wallets, notes etc. )

Finally, and assuming that it does fit your threat model:

2FA should be strictly separated from login credentials - when storing everything in one place, so the attacker could exploit vulnerable password managers and gain access to the account even with 2FA enabled.

So, yeah. Be safe out there. No system is ever 100% safe.

12 Likes

FYI: Bitwarden have released their update to fix the issue. If your browser extension is the version 2025.8.0, you’re good to go.

5 Likes

Forgive me if I’m wrong. But has it not previously been recommended on PG that Auto-fill should be disabled in browser based password managers?

It could have been elsewhere that I saw the recommendation. But it made perfect sense to me when I first read about it and would prevent this vulnerability.

1 Like

This case is a pretty good example of autofill being exploited for malicious purposes. I don’t remember reading anything in the knowledge base that was mentioning autofill as an option to avoid/turn off. But it is common knowledge that anything (semi-)automatically inputting data for you may eventually become a security issue in the long run.

Here, whoever was manually copy pasting their logins and password from their password managers to the web browser were not impacted by this vulnerability. Same thing for anyone who was relying on an external 2FA (in a dedicated app, not in your password managers, or with a FIDO hardware key)

Relevant video:

1 Like

Serious 1Password flaw? Allegedly. Please let’s focus on what matters: polished UX and a stress-free setup.

Priorities folks. If the fan club insists the UX is divine, who are we to ask for security?

And thank heavens nobody’s been asking for years to remove 1Password from our recommended list :folded_hands:

1 Like

KeePassXC extension not mentioned…

Because it doesn’t autofill

5 Likes

Link to where this is said here:

https://socket.dev/blog/password-manager-clickjacking#:~:text=It’s%20the%20opinion%20of%20the%20Socket%20Security%20Team%20that%2C%20if%20this%20is%20the%20case%2C%20the%20mitigations%20currently%20implemented%20by%20other%20password%20managers%20may%20also%20be%20bypassable

Discussion with 1Password#

After filing the request for CVE numbers with US-CERT the Socket Security Team reached out to the impacted password manager vendors to alert them about the pending CVE assignment. At time of publication, only 1Password responded.

On a call between the 1Password and Socket Security Team, 1Password explained that the mitigations proposed by Tóth could be trivially bypassed, and that the only way to mitigate the vulnerabilities fully would be to implement a dialog popup to prompt the user before autofilling. It’s the opinion of the Socket Security Team that, if this is the case, the mitigations currently implemented by other password managers may also be bypassable.

1Password stated they considered this dialogue popup solution, and implemented it for credit card fields, but opted-not to implement this for PII due to user feedback, according to the H1 triage logs with Tóth:

Security and usability are a balance, one that we are always making tradeoffs back and forth to find the right solution. Sometimes there is no perfect solution, only the solution that works best for the most users. As I mentioned previously, it is only with user feedback that we chose to remove the prompt for the PII items that would prevent clickjacking from occurring. A change that we’ve documented in the support article under the "Identity alerts” section.

As of the time of publication, 1Password has chosen not to provide an official statement to the Socket Security Research team about Tóth’s research.

While it is easy to assume vendors are simply ignoring these vulnerabilities, the reality is more complicated. Mitigating DOM-based clickjacking in a way that is both robust and frictionless for end users is a technically difficult challenge. The most straightforward solution, adding confirmation dialogs before autofilling, does introduce usability friction that some users may push back on. Password managers walk a tightrope between security and usability, and choices about which safeguards to enforce ultimately reflect product decisions about that balance. That said, the research highlights that what’s convenient for users in the short term can leave them exposed to systemic risks that attackers may exploit.

I’m sure the vast majority of 1Passwords’s clients are folks who would otherwise use something like “password123” at the slightest annoyance. Not excusing that fact 1Password is basically doing nothing though, even a simple fix that is somewhat bypassable is better than nothing.

3 Likes

The video I posted a few comments above explains this..

1 Like

what about KeepassXC + Brave + KeepassXC-extension?

As I understand it, this issue only affects those who autofill KeePass is safe.

But you may want to watch that video to understand it if all the other info sounds too esoteric.

2 Likes

So you think security and privacy don’t matter?

Come on it was sarcasm :joy:

2 Likes

There is a fix it is in settings:

“The most straightforward solution, adding confirmation dialogs before autofilling, does introduce usability friction that some users may push back on. Password managers walk a tightrope between security and usability, and choices about which safeguards to enforce ultimately reflect product decisions about that balance. That said, the research highlights that what’s convenient for users in the short term can leave them exposed to systemic risks that attackers may exploit.”
https://socket.dev/blog/password-manager-clickjacking#:~:text=The%20most%20straightforward,attackers%20may%20exploit.

It is just not on by default.

1 Like

Doesn’t copy and pasting ones credentials presents its own risks?

You constantly have to manually verify that you are on the correct URL.

As a 1Password user, I am disappointed that they are refusing to do something about this issue, even if the solution is not full proof.

1Password getting worse

Before 1Password, I was a long time user of LastPass, and a feature that I loved in LastPass is auto-login. That’s when your password manager automatically logs you into a website without you having to manually click autofill and login.

When I switched to 1Password, I was very disappointed that they didn’t have this feature and asked them why. They had pointed me to a blog post on their website, explaining that auto-login presents a security risk. Even though it was a little annoying, their reasoning made sense to me, and I got used to having to manually autofill my credentials.

Fast-forward to I wanna say earlier this year or late last year, and 1Password introduces auto-login as a feature, and on top of that makes it the default setting. They reversed their position on something they were staunchly against for a long time, and this surprised me. I can no longer find the blog post where they explain why they were against auto-login.

Moreover, 1Password 8, which was launched 3 years ago, has introduced a lot of bugs that they are in no hurry to fix, which is extremely frustrating

UI & UX vs Security

IMHO, 1Password has the best UI and UX of any password manager (except on Android, where UX sucks). Obviously, UI & UX aren’t everything, but it’s why I still use it. That said, I always hoped that I would eventually be able to switch to Proton Pass for which I have a paid subscription, but they are still quite far from being there in terms of UI & UX for me. More than a third of my 1Password credentials are not importable in Proton Pass. And they lack a lot of features I need.

I understand that there is a real balance between UI & UX vs security, but IMO, it doesn’t apply to everything. I think any password manager can have both, especially when they are a successful company like 1Password or Proton.

1 Like

Look above your comment you can enable the fix yourself in the extension’s security settings.

Hey folks. Lets keep the conversation respectful regardless of your opinion on 1Password.

3 Likes

Update regarding the vulnerability state of the 11 password managers mentioned.

tl;dr: Only LogmeOnce is still fully vulnerable. 1Password released a first fix and blog post/statement (a second fix is on the way). LastPass won’t do more (if you’re still using LastPass…). Every other password managers mentioned released a fix and communicated with their users about it.

:orange_circle: 1Password
Vulnerable version: <8.11.7.2
Partially fixed: 8.11.7
Improvement: You can now choose to have 1Password ask before it autofills logins, credit cards, or other non-credential items in your browser. You can turn on “Ask before filling” for certain items under Settings > Security. Please see the accompanying security advisory.
Vulnerable methods: Parent Element, Overlay In addition to the clickjacking vulnerability, 1Password has confusing texting in the dialog box when filling in a credit card. There is generic text “item”. The user may not know that it is a credit card.
Upcoming fix: 8.11.7.2 (check the blog post for the details)

:green_circle: Bitwarden
Vulnerable version: 2025.7.0 **Fixed: 2025.8.0 Vulnerable methods: Parent Element

:green_circle: Dashlane
Fixed: v6.2531.1 (1.8.2025)
Security Overview: https://support.dashlane.com/hc/en-us/articles/28598967624722-Advisory-Passkey-Dialog-Clickjacking-Issue

:orange_circle: Enpass
Vulnerable version: 6.11.6 (latest) Vulnerable methods: Parent Element, Overlay
Fixed Method: Extension Element <6.11.4.2 (19.5.2025)
Release Notes: https://www.enpass.io/release-notes/enpass-browser-extensions/

:orange_circle: iCloud Passwords
Vulnerable version: 3.1.25 (latest) / Note from commenter: partially fixed, no other infos from Apple at this time
Methods: Overlay
Fixed Method: Extension Element <2.3.22 (12.8.2024)
Acknowledgements: August 2024 https://support.apple.com/en-us/122162

:green_circle: Keeper
Fixed Methods:
Extension Element <17.1.1 (1.5.2025)
Overlay <17.2.0 (29.7.2025)

:orange_circle: :cross_mark: LastPass
Vulnerable version: 4.146.1 (latest)
Vulnerable methods: Parent Element, Overlay
Fixed: Credit Card, Personal Data <=4.125.0 (15.12.2023) / Note from commenter: partially fixed, won’t make further change.

:red_circle: LogMeOnce
Vulnerable version: 7.12.4 (latest)
Vulnerable methods: Extension Element, Parent Element, Overlay

:green_circle: NordPass
Fixed: <5.13.24 (15.2.2024)

:green_circle: ProtonPass
Fixed Methods:
Extension Element, Parent Element <1.9.5 (22.12.2023)
Extension Element <=1.31.0 (CRX)
Overlay <=1.31.4
Acknowledgements: https://proton.me/blog/protonmail-security-contributors

:green_circle: RoboForm
Fixed Methods:
Extension Element <9.5.6 (7.12.2023)
Parent Element, Overlay <9.7.6 (25.7.2024)
Release Notes: https://www.roboform.com/news-ext-chrome

Long story short: only web extensions are impacted. Desktop and mobile apps are safe. If you’re using a web browser extension, make sure to turn off autofill until a fix is released. If you’re using a Chromium web browser, you can also change the “Site access” setting of your password manager extension to “On click”.

If it wasn’t the case already (assuming that your threat model requires it):

2FA should be strictly separated from login credentials - when storing everything in one place, so the attacker could exploit vulnerable password managers and gain access to the account even with 2FA enabled.

7 Likes