InfoSecBulletin Cybersecurity for mankind
A cybersecurity researcher revealed zero-day clickjacking vulnerabilities in eleven major password managers, risking credential theft for millions of users with just one malicious click.
The new attack technique, dubbed “DOM-based Extension Clickjacking,” represents a significant evolution from traditional web-based clickjacking attacks.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
This technique targets user interface elements created by password manager extensions in web pages, making them invisible but still clickable, unlike traditional methods that use hidden iframes.
Extensive Testing Reveals Widespread Vulnerability:
Tóth’s comprehensive research tested eleven popular password managers, including industry leaders such as 1Password, Bitwarden, LastPass, Dashlane, Keeper, and others.
The results were alarming: all tested password managers were initially vulnerable to at least one variant of the DOM-based Extension Clickjacking technique.
The vulnerabilities affect approximately 40 million active installations across Chrome Web Store, Firefox Add-ons, and Edge Add-ons platforms.
Six out of nine tested password managers were vulnerable to credit card detail extraction, while eight out of ten could be exploited to exfiltrate stored personal information.
Perhaps most concerning, ten out of eleven password managers were susceptible to credential theft, including Time-based One-Time Password (TOTP) codes used for two-factor authentication.
Following responsible disclosure in April 2025, several vendors have implemented fixes. Dashlane, Keeper, NordPass, ProtonPass, and RoboForm have successfully patched their extensions against the described attack methods.
However, major players, including 1Password, Bitwarden, LastPass, iCloud Passwords, Enpass, and LogMeOnce, remain vulnerable as of August 2025, representing approximately 32.7 million active installations still at risk.
The persistence of these vulnerabilities in widely used password managers highlights the complexity of securing browser extensions against sophisticated client-side attacks. Click here to read the full report.
Massive Intel data exposure: hacker harvests 270K employee data
