- More password managers are dismissing for a new attack
- Attacked abuses opacity settings and autofill functions
- Passwords, 2FA codes and credit card information can be stolen
At the recent DEF Con 33 conference, independent researcher Marek Tóth revealed a clickjacking attack, which he claims could utilize the Auto -Pill capacities of six of the largest password managers.
The attack is able to steal passwords, 2FA codes and credit card information, making it a serious concern for tens of thousands of millions of password administrator users.
Tóth tested the attack on versions of 1password, Bitvarden, Enpass, ICloud Passwords, Lastpass and LogmeOnce, and found that the browser-based variants could leak stored data under the correct conditions.
Larger password administrators at risk
The attack is dependent on using a site that uses opacity settings, overlays, or a marker event to make the autofill function of the web-based password manager appear invisible. The websites can either be malicious sites or legitimate websites that are compromised.
The striker then uses a pop-up or captcha that deliberately places the user’s click on the hidden password administrator checks, autofilling of the credentials of the form and stealing them.
What makes this attack vector even more about is that the striker could use a universal attack script to identify the password administrator active in the web browser and adjust the attack to target it specifically.
Other variations of the attack were demonstrated by DEF CON 33, including several DOM-based subtypes that abuse the opacity of the element, overall element, root and overlay level, as well as an attack that can trigger Autofill everywhere the cursor is located.
Tóth informed the companies that he tested the attack vector in April 2025, and also said that publication would be published on DEF Con 33 in August. CyberSecurity scientists on socket verified Tóth’s methods and helped notify the passwords concerned.
Multiple password managers remain vulnerable to the attack, including these versions:
- 1password 8.11.4.27
- Bitvarden 2025.7.0
- Enpass 6.11.6 (Partly Fix implemented in 6.11.4.2)
- iCloud -passwords 3.1.25
- Lastpass 4.146.3
- LogmeOnce 7.12.4
The latest versions of Dashlane, Nordpass, Protonpass, RoboForme and Keeper have all been patched against Tóths demonstrated attack vector. Lastpass and LogmeOnce are currently working on corrections to the attack.
More companies released comments to Bleeping computer Following the Publication Article.
Lastpass:
“We value the work of security researchers, like Marek Tóth, who helps to raise awareness of potential threats and improve industry security. Klickjacking vulnerability Marek revealed highlights a wider challenge that all password managers face: To beat the right balance between user experience and convenience, while also addressing developing threat models.
Lastpass has implemented certain clicks of cracking measures, including a pop-up review that appears before auto-filling credit cards and personal details on all sites, and we are obliged to explore ways to further protect users while continuing to preserve the experience our customers expect.
Meanwhile, our threat information, mitigation and escalation (TIME) team is calling all users of password managers to remain vigilant, avoid interacting with suspicious overlays or pop -ups and keep their Lastpass extensions up to date. ” – Alex Cox, Director Threat Intelligence, Miting, Escalation (Time) on Lastpass.
1password:
“Clickjacking is not unique to the 1Password browser extension. It is a long-term web attacking technique that affects sites and browser extensions broadly. Because the underlying problem lies in the way browsers reproduce web pages, we believe there is no comprehensive technical solution that browser extensions can deliver on their own.
We take this and all security concerns seriously, and our approach to this particular risk is to focus on giving customers more control. 1password already requires confirmation before the auto filling of payment information, and in our next release we are expanding this protection so that users can choose to enable confirmation alerts for other types of data. This helps users stay informed when AutoFill happens and checks their data. ” – Jacob Depriaest, CISO on 1password.
