I’m surprised on how the Bitwarden team is taking the issue very casually and not releasing emergency fixes for this issue. I am happy on how fast the proton pass team reacted. I didnt expect this as they were new in the password manager industry. I’m planning to switch my password manager from bitwarden to proton pass.
The issue is easily fixable on the end user side.
Understandable that Bitwarden is not in a hurry, it is not a severe security flaw.
There 13 million users of bitwarden chrome extension. Out of 13 million how many people know about this issue and how many are non advanced users. As a company they should immediately do something as we are trusting them with our passwords.
4 Likes
People that install a browser extension increase their attack surface in the first place (convenience is the enemy of security usually).
Not all people use the cloud version of Bitwarden, some use their own self-hosted Vaultwarden (and should have the due-dilligence of checking from time to time).
Even less people are exposed to such a vulnerability as of today, this clickjacking exploit is not widespread on 99% of websites.
I can only see 5M chrome installs + 0.8M firefox ones.
Moreover, searching for “bitwarden firefox extension” in a search engine, brings Marektoth’s article as the 2nd link.
Overall, Bitwarden should not carry all the blame here.
And bad vulnerabilities happen all day, this doesn’t mean the team needs to have a sleepless night and rush a hotfix nor it should push you to migrate to another password manager in itself.
1 Like
Bitwarden has handled this situation very poorly IMO. Version 2025.8.0 was supposed to have fixed it, but it did not. Then 2025.8.1 was said to be the solution, but it was not. And I can find no mention of it on their site or Git, except in this one forum thread: Should I be worried about clickjacking? - #33 by gooseleggs - 🔹Password Manager - Bitwarden Community Forums
Apparently this vulnerability is STILL not resolved? Or am I missing something?
3 Likes
Bitwarden only does community support through their forums. They push official stuff to a support email address. I too haven’t seen a “we are done” type of message regarding these clickjacking issues. You’d think they’d be on this.
Github is the way to go, post an issue there or check the code on your machine locally.
Even better solution: disable autofill.
It’s not a CVE so nobody will rush to fix it.
This is true version-2025.8.1 did not fix it. The login credential vulnerability still existed. I had tested it myself.
Only 2025.8.2 seems to fix it now , which was released like a day ago.
Yeah they did say they earlier that it was fixed when really it was not. The researcher himself had pointed this out in a post on the bitwarden forums. You can see here Should I be worried about clickjacking? - #24 by marektoth - Password Manager - Bitwarden Community Forums
If you want to make sure its fixed you can try the researchers demo website which made it very easy for anyone to test whether they were being affected by it or not.
3 Likes
I still fail the opacity:0.5 test with bitwarden extension 2025.8.2 on firefox.
How did you manage to positive test it?
Did you test on any chromium based browser?
In short, the Proton Pass browser app is no longer vulnerable to reported clickjacking attacks. We were alerted to this vulnerability by a report by cybersecurity researcher Marek Tóth given at DEF CON 33.
[…]
We’ve addressed this vulnerability with the rollout of version 1.31.6 of the Proton Pass, and would strongly recommend updating your Proton Pass web app if you haven’t already.
2 Likes