1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Multiple top password managers vulnerable to password stealing cl

    From TechnologyDaily@1337:1/100 to All on Friday, August 22, 2025 12:30:10
    Multiple top password managers vulnerable to password stealing clickjacking attacks - heres what we know

    Date:
    Fri, 22 Aug 2025 11:28:00 +0000

    Description:
    A new attack abusing opacity settings and autofill capabilities can steal sensitive data from password managers.

    FULL STORY ======================================================================Multiple
    password managers are suceptible to a new attack The attack abuses opacity settings and autofill capabilities Passwords, 2FA codes, and credit card details can be stolen

    At the recent DEF CON 33 conference, independent researcher Marek Tth
    unveiled a clickjacking attack he claims could exploit the autofill capabilities of six of the biggest password managers .

    The attack is able to steal passwords, 2FA codes, and credit card details, making it a serious concern for tens of millions of password manager users.

    Tth tested the attack against versions of 1Password, Bitwarden, Enpass,
    iCloud Passwords, LastPass, and LogMeOnce, and found that the browser-based variants could leak stored data under the right conditions. Major password managers at risk

    The attack relies on using a website that uses opacity settings, overlays, or a pointer-event to make the autofill function of the web-based password manager to appear invisible. The websites can either be malicious sites, or legitimate sites that have been compromised.

    The attacker then uses a pop-up or CAPTCHA that deliberately places the users clicks on the hidden password manager controls, autofilling the credentials into the form and stealing them. (Image credit: Marek Tth)

    What makes this attack vector even more concerning is that the attacker could use a universal attack script to identify the password manager active on the web browser and adjust the attack to target it specifically.

    Other variations of the attack were demonstrated at DEF CON 33, including several DOM-based subtypes that abuse the opacity at the element, parent element, root, and overlay level, as well as an attack that can trigger autofill anywhere the cursor is placed. (Image credit: Marek Tth)

    Tth notified the companies on which he tested the attack vector in April
    2025, also stating that public disclosure would be made at DEF CON 33 in August. Cybersecurity researchers at Socket verified Tths methods and
    assisted in notifying the affected password managers.

    Several password managers remain vulnerable to the attack, including these versions: 1Password 8.11.4.27 Bitwarden 2025.7.0 Enpass 6.11.6 (partial fix implemented in 6.11.4.2) iCloud Passwords 3.1.25 LastPass 4.146.3 LogMeOnce 7.12.4

    The latest versions of Dashlane, NordPass, ProtonPass, RoboForm, and Keeper have all been patched against Tths demonstrated attack vector. LastPass and LogMeOnce are currently working on fixes for the attack. (Image credit: Marek Tth)

    Several companies issued comments to BleepingComputer following the publications article.

    LastPass:

    "We appreciate the work of security researchers, like Marek Tth, who help raise awareness about potential threats and improve industry-wide security. The clickjacking vulnerability Marek uncovered highlights a broader challenge facing all password managers: striking the right balance between user experience and convenience, while also addressing evolving threat models.

    LastPass has implemented certain clickjacking safeguards, including a pop-up notification that appears before auto-filling credit cards and personal details on all sites, and were committed to exploring ways to further protect users while continuing to preserve the experience our customers expect.

    In the meantime, our threat intelligence, mitigation and escalation (TIME) team encourages all users of password managers to remain vigilant, avoid interacting with suspicious overlays or pop-ups, and keep their LastPass extensions up to date." - Alex Cox, Director Threat Intelligence, Mitigation, Escalation (TIME) at LastPass.

    1Password:

    "Clickjacking is not unique to the 1Password browser extension. It is a long-standing web attack technique that affects websites and browser extensions broadly. Because the underlying issue lies in the way browsers render webpages, we believe theres no comprehensive technical fix that
    browser extensions can deliver on their own.

    We take this and all security concerns seriously, and our approach to this particular risk is to focus on giving customers more control. 1Password already requires confirmation before autofilling payment information, and in our next release, were extending that protection so users can choose to
    enable confirmation alerts for other types of data. This helps users stay informed when autofill is happening and in control of their data." - Jacob DePriest, CISO at 1Password. You might also like Take a look at the best free password managers around today I've rounded up the best antivirus software on offer Google Password Manager may be set to introduce a nuclear option for
    its Android app



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/multiple-top-password-managers-vulnerab le-to-password-stealing-clickjacking-attacks-heres-what-we-know


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)