Six major password managers with tens of millions of users are currently vulnerable to unpatched clickjacking flaws that could allow attackers to steal account credentials, 2FA codes, and credit card details.
Threat actors could exploit the security issues when victims visit a malicious pageor websites vulnerable to cross-site scripting (XSS) or cache poisoning, where attackers overlay invisible HTML elements over the password manager interface.
While users believe they are interacting with harmless clickable elements, theytrigger autofill actions that leak sensitive information.
The flaws were presented during the recent DEF CON 33 hacker conference by independent researcher Marek Tóth. Researchers at cybersecurity companySocket later verified the findingsand helped inform impacted vendors and coordinate public disclosure.
The researcher tested his attack on certain versions of1Password,Bitwarden,Enpass,iCloud Passwords,LastPass, and LogMeOnce, and found thatall their browser-based variants could leak sensitive info under certain scenarios.
Exploitation methods
The main attack mechanic is to run a script on a malicious or compromised website that uses opacity settings,overlays, or pointer-event tricks to hide the autofill dropdown menu of a browser-based password manager.