What The Clickjacking Vulnerability Looks Like In The Browser
Six major password managers with tens of millions of users are exposed to unpatched password manager clickjacking vulnerability flaws that can leak logins, 2FA codes, and credit card details. The issue arises when victims land on a malicious site—or a site compromised via XSS or cache poisoning—where invisible HTML elements are placed over the password manager interface.
Users think they are clicking common on-page items, but their clicks actually hit hidden controls that trigger autofill and reveal sensitive data.
The research was presented at DEF CON 33 by independent researcher Marek Tóth and later verified by cybersecurity firm Socket, which helped notify impacted vendors and coordinate public disclosure. Tests on the browser-based variants of 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce showed that sensitive information could leak in certain scenarios.
How The Attack Is Executed On Compromised Or Malicious Sites
The core technique is a script that hides the autofill dropdown or controls using opacity, overlays, or pointer-events. The attacker then places fake intrusive elements—cookie banners, popups, or CAPTCHA—so normal clicks land on the concealed password manager UI and complete forms with private data.
Tóth demonstrated several DOM-based subtypes of the same problem:
- Direct DOM element opacity manipulation
- Root element opacity manipulation
- Parent element opacity manipulation
- Partial or full overlaying of elements
He also showed a variant where the UI follows the mouse cursor, so any click anywhere can trigger autofill. According to Tóth, a universal attack script can detect which password manager is active and adapt in real time.
Scope Of Impact And Tested Products
The researcher evaluated 11 popular password managers and found each one vulnerable to at least one attack method. Vendors were first notified in April 2025, with public disclosure planned for August at DEF CON 33. Socket issued another round of contacts this week and said it is filing CVEs for the affected products.
As of now, the following versions—together used by around 40 million users—remain vulnerable to Tóth’s attack methods:
- 1Password 8.11.4.27
- Bitwarden 2025.7.0
- Enpass 6.11.6 (partial fix in 6.11.4.2)
- iCloud Passwords 3.1.25
- LastPass 4.146.3
- LogMeOnce 7.12.4
Vendor Responses And Fix Status
1Password rejected the report as “out-of-scope/informative,” saying clickjacking is a general web risk. LastPass also marked the report “informative.” Bitwarden acknowledged the findings but downplayed severity; however, the firm told BleepingComputer that fixes are included in version 2025.8.0, which is rolling out this week. It is unclear if LastPass and 1Password plan to address the problem. LogMeOnce did not respond to outreach from either Tóth or Socket.
Several vendors have shipped fixes. Dashlane released v6.2531.1 on August 1. Keeper delivered v17.2.0 in July. NordPass, ProtonPass, and RoboForm also implemented mitigations. Users should ensure they run the latest available versions.
Until updates land for impacted products, Tóth recommends disabling autofill in password managers and using copy/paste to reduce exposure.
Clarifications And Vendor Statements After Publication
[Update 8/20 3:20 PM EST] — LastPass and LogMeOnce said they are working on fixes for the issues detailed in Tóth’s report.
[Update 8/20 3:40 PM EST] — The vendor notification timeline was edited for accuracy based on new information from Socket.
[Update 8/20 4:15 PM EST] — LastPass provided the following statement:
“We appreciate the work of security researchers, like Marek Tóth, who help raise awareness about potential threats and improve industry-wide security. The clickjacking vulnerability Marek uncovered highlights a broader challenge facing all password managers: striking the right balance between user experience and convenience, while also addressing evolving threat models.
LastPass has implemented certain clickjacking safeguards, including a pop-up notification that appears before auto-filling credit cards and personal details on all sites, and we’re committed to exploring ways to further protect users while continuing to preserve the experience our customers expect.
In the meantime, our threat intelligence, mitigation and escalation (TIME) team encourages all users of password managers to remain vigilant, avoid interacting with suspicious overlays or pop-ups, and keep their LastPass extensions up to date.” — Alex Cox, Director Threat Intelligence, Mitigation, Escalation (TIME) at LastPass
