Zero-Day Clickjacking Vulnerabilities in Major Password Managers

Serious 1Password flaw? Allegedly. Please let’s focus on what matters: polished UX and a stress-free setup.

Priorities folks. If the fan club insists the UX is divine, who are we to ask for security?

UI is as important as UX. Not every user is tech-savvy. Having a good UI can be the argument that makes the difference between using a password manager, or not using one at all. As long as you don’t go for LastPass… It is 100% better and safer to use a password manager. And it doesn’t matter if it’s in the case of a common person or not.

Compared to the other password managers, KeePass works differently. The way the app communicates with the extension is much safer. Compared to the other ones, some of their extensions are an autonomous password manager in itself. One that is embedded in the user browser.

@Natha great update thanks!

I think this is a valid insight that users who are more privacy focused tend to forget. For a lot of people using a password manager is a huge change and one of the biggest steps a person can make in their privacy journey.

Important update: 24/08/2025 5h15 GMT+1

• Added KeePassXC-Browser is vulnerable: please see the update original article here
• Updated Bitwarden status, latest version (2025.8.1) still vulnerable (No ETA for the next update)
  • A fix for the overlay vulnerability is in the work
• Changed 1Password to (the vulnerability also concerns your credit card info, please check the details)
• Changed iCloud Password to (the overlay vulnerability is the most likely to be exploited on naive users)
• Added links to screen recordings for each vulnerable password manager, showing the exploit in action

For now, make sure to turn off auto fill. If you’re using a Chromium web browser, you can also change the “Site access” setting of your password manager extension to “On click”.

And this is, once again, a good reminder to keep your 2FA/TOTP separated from your main device.

The complete changelog:

VULNERABLE

1Password
Vulnerable version: <=8.11.7.2 (latest)
Vulnerable methods: Parent Element, Overlay Videos
Videos: opacity:0 opacity:0.5

In addition to the clickjacking vulnerability, 1Password has confusing texting in the dialog box when filling in a credit card. There is generic text “item”. The user may not know that it is a credit card.

https://websecurity.dev/video/1password_personaldata_creditcard.mp4

Improvement in 8.11.7.2: You can now choose to have 1Password ask before it autofills logins, credit cards, or other non-credential items in your browser. You can turn on “Ask before filling” for certain items under Settings > Security. Please see the accompanying security advisory.

Note: it is really advised to turn this setting on and deactivate auto fill.

Bitwarden
Vulnerable version: <=2025.8.1 (latest)
Vulnerable methods: Overlay
Videos: opacity:0 + opacity:0.5

iCloud Passwords
Vulnerable version: 3.1.25 (latest)
Methods: Overlay
Videos: opacity:0 opacity:0.5Acknowledgements: August 2024 https://support.apple.com/en-us/122162
Fixed: Extension Element <2.3.22 (12.8.2024)

KeePassXC-Browser
Vulnerable releases: <=1.9.9.2 (latest)
Vulnerable methods: Extension Element, Overlay
Videos: opacity:0 + opacity:0.5 (1.9.9.2) / as seen in 1.9.9.1

LastPass
Vulnerable releases: 4.146.1 (latest)
Vulnerable methods: Extension Element, Parent Element, Overlay
Videos: opacity:0 opacity:0.5
Fixed: Credit Card, Personal Data <=4.125.0 (15.12.2023) / Note from commenter: no further update ahead, assume that it won’t be fixed.

LogMeOnce
Vulnerable releases: 7.12.4 (latest)
Vulnerable methods: Extension Element, Parent Element, Overlay
Videos: opacity:0 opacity:0.5

FIXED

Dashlane
Fixed: v6.2531.1 (1.8.2025)
Security Overview: https://support.dashlane.com/hc/en-us/articles/28598967624722-Advisory-Passkey-Dialog-Clickjacking-Issue

Enpass
Vulnerable version: 6.11.6 (latest)
Release Notes: https://www.enpass.io/release-notes/enpass-browser-extensions/
Vulnerable:
Parent Element, Overlay (<= 6.11.5)
Extension Element (<6.11.4.2)
Fixed Method: Extension Element <6.11.4.2 (19.5.2025)

Keeper
Fixed: 17.2.0
Vulnerable releases:
Extension Element <17.1.2 (26.5.2025)
Overlay <17.2.0 (25.7.2025)**

NordPass
Fixed: 5.13.24 (15.2.2024)

Proton Pass
Fixed: 1.31.6
Acknowledgements: https://proton.me/blog/protonmail-security-contributorsExtension
Vulnerable releases:
Element, Parent Element <1.9.5 (22.12.2023)
Extension Element <=1.31.0 (CRX)
Overlay <=1.31.4

RoboForm
Fixed: =<9.7.6 (25.7.2024)
Release Notes: https://www.roboform.com/news-ext-chrome
Vulnerable releases:
Extension Element <9.5.6 (7.12.2023)
Parent Element, Overlay <=9.7.5 (25.7.2024)

tl;dr: only web extensions are impacted.
Desktop and mobile apps are safe. Turn off autofill until a fix is released.

Finally, if it wasn’t the case already (assuming that your threat model requires it):

2FA should be strictly separated from login credentials - when storing everything in one place, so the attacker could exploit vulnerable password managers and gain access to the account even with 2FA enabled.

Thanks for the detailed update!

Thanks for all of this info. So it sounds like the desktop apps advice would also apply to Keepassium, which does not have a browser extension, but integrates with MacOS’s autofill (e.g. in Safari). i.e., Keepassium users should disable that autofill integration and manually copy/paste, correct?

Curious also if the same would apply to iOS. Sounds like there’s no reason it wouldn’t

Someone on the Bitwarden community forums also suggested that using alternative autofill methods, such as the keyboard shortcut could eliminate this issue since it’s only related to inline autofill, which is the way most password managers handle autofill. Can someone confirm this?

Post updated: the fix released by Bitwarden (2025.8.1) didn’t fix the vulnerability.

No ETA for the fix of the fix.

KeePass is working on a fix (the following was wrong: and confirmed that using the default settings will keep you safe.)

LogmeOnce did log an update on their website, but still no sign of it on the Chrome Web Store. Will update as soon as it is available.

Finally, LastPass still doesn’t care.

This is why PG should recommend local app + autotype functionality. Not the first time and certainly won’t be the last.

There used to be a time, not that long ago, when 1Password was developing a real native macOS app with a global, application agnostic auto fill. One that was semi-automatic/user dependent, as you needed to click at least once to fill something in. It was fast, butter smooth, reliable, safe (thanks to the macOS sandboxing). That got killed when 1Password 8 was released, starting the Electron-era for each and every version of the app. And we all know how annoying an app may become when its developper(s) decide(s) to go the Electron way.

So, yeah. Local apps did make a difference, and still do today.

Even without per-URL autofill, password management can be made very convenient with local apps at least on linux. The way I have it set up is just: press super+S → start typing name of service (password manager entries have to be descriptive) → press enter → focus on input box (if it doesn’t autofocus) and wait 2 seconds for autotype. Press enter again to login. Takes less than 5 seconds total.

That’s a bummer! Have any of the other password manager fixes been confirmed to work?

Read the updates above.

Maybe I missed something? Keepass being confirmed is nice but that was already expected. I meant managers who were actually thought to be affected. Such as Proton or Dashlane who also have fixes out that were released around when Bitwardens was.

I mean, they have had fixes. Confirmation from the community for whether it actually and truly fixes the issue is not yet available I think.

But I have no reason to doubt it hasn’t. I atleast have that much trust with the people behind Proton and a couple others.

Sure, I think most people would of said that about Bitwarden.

I probably would not have even thought to wait for the fixes to be confirmed working, without that coming out.

With 1Password basically questioning if it can be fixed (maybe better to say if its worth it) and then Bitwarden having their fix fail, makes it more interesting then I’d have expected.

Bitwarden here with this situation appears to be an outlier and uncharacteristically so. Not sure what’s going on with them.

With 1Password, they do have their reasons for it. There’s a video I posted earlier in this thread that explains it.

Yeah I saw their statement. Can’t say I’d feel super confident if I’m a 1Password user and they have to throw out “Security and usability are a balance” as a response to a security issue.

I mean, what they said is not wrong from a factual POV but yeah, for a security first product its not good.