Research Reveals Clickjacking Risks in Popular Password Managers

Password managers are widely trusted tools that store and autofill sensitive information such as usernames, passwords, and payment details. However, new research has shown that even these critical security tools are vulnerable to clickjacking attacks.

At the DEF CON security conference, researcher Marek Tóth presented findings that nearly a dozen password managers could be exploited through their browser extensions, leaving millions of users at risk.

Impacted Password Managers

Tóth tested the following password managers and their associated browser extensions:

• 1Password

• Bitwarden

• Dashlane

• Enpass

• Keeper

• LastPass

• LogMeOnce

• NordPass

• ProtonPass

• RoboForm

• Apple iCloud Passwords

Collectively, these extensions have nearly 40 million active installations across Chrome, Edge, and Firefox, highlighting the scale of potential exposure.

How Clickjacking Works

Clickjacking is a long-standing attack technique where attackers manipulate web pages to trick users into clicking on hidden or disguised elements. A malicious site can overlay transparent buttons or links over legitimate content, causing the victim to unknowingly trigger dangerous actions.

Tóth demonstrated how attackers could exploit the Document Object Model (DOM) elements injected by password manager extensions. By making these elements invisible, attackers could force autofill actions and extract highly sensitive data such as:

• Personal details

• Usernames and passwords

• Payment card data

• Passkeys

Some attacks required as little as one unintended click, especially when combined with cross-site scripting (XSS) or other web vulnerabilities.

Vendor Responses

While some vendors have already patched these vulnerabilities, others have yet to release fixes. According to the researcher, the following managers remained unpatched at the time of disclosure:

• Bitwarden

• 1Password

• iCloud Passwords

• Enpass

• LastPass

• LogMeOnce

Bitwarden confirmed a patch is being rolled out in version 2025.8.0, and LogMeOnce said their team is actively working on a fix.

Other vendors offered perspective on the broader challenge. 1Password’s CISO, Jacob DePriest, emphasized that the issue is not unique to password managers but tied to how browsers render webpages. He explained that 1Password is introducing new confirmation prompts for autofill actions to give users more control.

Similarly, LastPass noted that while safeguards exist, such as pop-up notifications before filling credit card details, they are continuing to explore additional protections to balance convenience and security.

Key Takeaways

• Widespread Risk: Clickjacking vulnerabilities affect many of the most popular password managers.

• User Vigilance Needed: Users should keep extensions updated and remain cautious when interacting with overlays or pop-ups.

• Ongoing Efforts: Vendors are patching and adjusting features to reduce the risk of invisible, malicious actions.

Password managers remain essential tools for secure credential management, but this research highlights that even the most trusted technologies must constantly evolve to address emerging threats.