top of page

Attack on password managers: what we know, and what to do

A new wave of cyberattacks has exposed a critical vulnerability in popular browser-based password managers, using a technique known as DOM-based extension clickjacking. But what does this actually mean...


ree

This method, recently demonstrated at DEF CON 33 by cyber security researcher Marek Tóth, manipulates the Document Object Model (DOM) of a web page to deceive users into unknowingly triggering malicious actions.


The attack targets browser extensions used by password managers such as 1Password, LastPass, NordPass, Enpass, and others, which collectively serve millions of users worldwide.


The attack works by embedding invisible elements, such as login forms or credential selectors, beneath seemingly benign interface components like cookie consent banners or authentication prompts. When a user clicks on what appears to be a legitimate button, they are in fact interacting with the hidden element. This can cause their password manager to auto-fill sensitive information, which is then silently exfiltrated to a threat actor-controlled server.


Tóth’s research revealed that 10 out of 11 tested password managers were vulnerable to this technique, with many also exposing time-based one-time passwords (TOTP), credit card details, and even passkeys.


The vulnerability stems from the way these extensions inject UI elements into web pages and how they handle autofill functionality. In many cases, credentials are filled not only for the main domain but also for all subdomains, increasing the attack surface significantly.


ree

Despite responsible disclosure, the response from vendors has been mixed. While some, like Bitwarden, Dashlane, Keeper, NordPass, ProtonPass, and RoboForm, have issued patches, others such as 1Password and LastPass have either delayed fixes or classified the issue as merely informative. Apple’s iCloud Passwords and Enpass are reportedly still working on updates.


Mitigation

 

To mitigate the risk, users are advised to disable the autofill feature in their password managers or configure it to activate only upon manual interaction.


For Chromium-based browsers like Chrome and Edge, this can be done by adjusting the extension’s site access settings to “on click.” This ensures that credentials are only filled when the user explicitly initiates the action, reducing the likelihood of accidental exposure.


This incident underscores the persistent risks associated with browser-based security tools and the importance of user vigilance. As threat actors continue to exploit subtle interface manipulations, even a single careless click can compromise an entire vault of sensitive data.


Until comprehensive fixes are in place, users should remain cautious and consider adopting stricter controls over how and when their password managers interact with websites.


Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).


 
 
 

Comments

The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.

 

EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page