A security researcher revealed a vulnerability in popular password-manager browser extensions at DEF CON 33, calling it DOM-based extension clickjacking. The technique could allow attackers to steal credentials, one-time codes, and even credit card details by triggering a single click on a compromised page.
The technique, described by independent researcher Marek Tóth, targets 11 widely used password-management add-ons, including 1Password, Apple iCloud Passwords, Bitwarden, Enpass, LastPass and LogMeOnce, and could be extended to other extension types. Tóth’s write-up on the attack is available at his blog and the broader research was presented at the conference earlier this month.
In a typical attack, an attacker creates a fake site with an intrusive login prompt or cookie-consent banner while embedding an invisible login form. A user’s click closes the pop-up but inadvertently triggers the password manager’s auto-fill, sending credentials to a remote server. “All password managers filled credentials not only to the ‘main’ domain, but also to all subdomains,” Tóth said. “An attacker could easily find XSS or other vulnerabilities and steal the user’s stored credentials with a single click (10 out of 11), including TOTP (9 out of 11). In some scenarios, passkey authentication could also be exploited (8 out of 11).”
The attack has drawn the attention of software supply-chain security firm Socket, which independently reviewed the research. Socket said Bitwarden, Enpass, and iCloud Passwords are actively working on fixes, while 1Password and LastPass described the issues as informative disclosures. Socket also said it has reached out to US-CERT to request CVE identifiers for the vulnerabilities.
Until fixes are widely deployed, researchers advise users to disable the auto-fill feature in password managers and rely on copy/paste. For Chromium-based browsers, Tóth recommended configuring extension settings to “On click” to limit automatic fill, giving users manual control over autofill actions.