Major Flaw Exposes Password Managers to “One-Click” Data Theft

Popular browser extensions used for password management have been found vulnerable to a novel attack technique known as DOM-based extension clickjacking. The method was unveiled by independent researcher Marek Tot at DEF CON 33. According to him, an attacker needs only to craft a malicious website with a counterfeit pop-up window: a single click on it could unwittingly trigger the autofill function, sending confidential data — ranging from account credentials and two-factor authentication codes to payment details — directly to the attacker’s server.

Clickjacking, also known as UI redressing, exploits the discrepancy between what the user sees and what actually occurs behind the interface. In this new variant, the technique abuses UI components injected by password managers themselves into the structure of a webpage. By using scripts to render these elements invisible through transparency manipulation, an attacker can cause a simple action — such as clicking to dismiss a banner or close a form — to activate autofill, leading to a silent data exfiltration.

Tot tested 11 of the most widely used password managers, including 1Password, iCloud Passwords, Bitwarden, Enpass, LastPass, and LogMeOnce. All proved susceptible to this method. In several cases, the attack compromised not only standard credentials but also time-based one-time passwords (TOTP) and even passkey authentication mechanisms. The danger is amplified by the fact that many managers automatically fill credentials not only for the primary domain but also across all its subdomains — a weakness that can be further exploited through other vulnerabilities such as XSS, enabling seamless data theft.

According to Tot’s findings, 10 of the 11 tested extensions filled accounts on subdomains, 9 exposed TOTP codes, and 8 permitted attacks against passkeys. Thus, a single click on a deceptive element within a malicious site could result in complete account compromise.

Following responsible disclosure, patches were not universally issued. As of now, no updates have been released for:

• 1Password (v8.11.4.27)
• Apple iCloud Passwords (v3.1.25)
• Enpass (v6.11.6)
• LastPass (v4.146.3)
• LogMeOnce (v7.12.4)

Independent validation by Socket confirmed Tot’s findings, noting that Enpass and iCloud Passwords are working to address the flaw, while 1Password and LastPass categorized it as merely “informational.” The organization also escalated the matter to US-CERT for CVE assignment.

As a temporary safeguard, Tot recommends disabling autofill in password managers and, where possible, manually copying credentials. For Chromium-based browsers, he advises enabling the “click-to-access” setting for extensions, granting users greater control over when passwords are filled. Shortly after Tot’s publication, Bitwarden released an update accompanied by a warning urging users to carefully scrutinize site addresses and exercise vigilance to avoid falling victim to phishing campaigns.