Several of the best password managers have been found to be vulnerable to a flaw that lets hackers pull off clickjacking attacks. Researcher Marek Tóth recently demonstrated how the bug allows attackers to overlay invisible HTML elements over an interface so that users think they’re clicking on a standard popup but instead, they’re actually unknowingly leaking sensitive information like account credentials, 2FA codes or credit card details.
Bleeping Computer reported on Tóth’s findings, which the researcher showed off during the August DEF CON 33 conference. A threat actor can exploit this flaw when a victim visits a malicious website vulnerable to cross-site scripting or cache poisoning, which is where the invisible overlay occurs. The hacker only needs to create a fake site and ensure that it contains an intrusive pop-up like a log-in screen or consent banner. This pop-up contains the overlay with an invisible login form, which means once the victim clicks on the site to close the popup, their password manager will autofill their credential or other sensitive info into the malicious site which then sends it back to a remote server.
Tóth showed multiple ways the flaw could be exploited using different variants, including direct DOM (document object model) element opacity manipulation, root element opacity manipulation, parents element opacity manipulation or partial or full overlaying. He also demonstrated a method where the UI follows the mouse cursor so any click, regardless of position on the page, would trigger data autofill. To make matters worse, Tóth explained that a universal attack script could be used to identify which password manager is active on the victim’s browser, so the attack could be adapted in real-time.
Tóth’s findings were verified by the cybersecurity company Socket, who also helped to inform the vendors impacted by the vulnerability as well as coordinate public disclosure and filing of CVEs. The password managers that were tested include 1Password, Bitwarden, Enpass, Apple Passwords, LastPass and LogMeOnce.
All of which have browser-based variants of their password managers that would leak sensitive information under certain scenarios. In total, 11 password managers were tested and all were found to be vulnerable to at least one attack method. Tóth notified all the vendors of the issue in April 2025 before publicly disclosing his findings at DEF CON 33.
Many of the various password manager companies have indicated that they are working on resolving the issue or have issued fixes. Recommendations for users include making sure that you’re running up-to-date versions of your password manager, and Tóth says that until fixes become available, you should disable the autofill function in your password managers and only use copy/paste. He adds: “For Chromium-based browser users, it is recommended to configure site access to ‘on click’ extension settings; this allows users to manually control autofill functionality.”
Follow Tom’s Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
More from Tom’s Guide
