Researchers have discovered a vulnerability that makes it possible to steal sensitive information from password manager browser extensions with just one click.
Password managers are typically a well-secured vault, but they appear to have one major weakness. This was recently discovered by security researcher Marek Tóth. The vulnerability allows attackers to steal data through browser extensions with a simple click and affects various popular password managers such as 1Password, LastPass, and iCloud.
The attack method, dubbed clickjacking, is described in detail in a blog post. By exploiting how browser extensions inject UI elements into web pages, attackers can intercept user data such as logins, 2FA codes, passwords, credit card details, and personal information. Not all vulnerable services have released a patch yet.
One Click, Multiple Data Breaches
The attack uses visual manipulation: attackers place invisible forms under so-called ‘intrusive’ elements like cookie banners or pop-ups. When the user clicks on ‘Accept cookies’, for example, they unknowingly activate the form that gets filled in by the password manager. The data is then forwarded to a server controlled by the attacker.
Tóth tested eleven password managers and found that all were vulnerable to this technique in their default configuration. It was discovered that data is automatically filled not only on the main domain but also on subdomains. This means that just one XSS vulnerability is enough to extract user data.
Waiting for a Patch
Bitwarden, Dashlane, NordPass, RoboForm, Keeper, Enpass, and ProtonPass have already released patches. However, we’re still waiting for responses from 1Password, iCloud Passwords, LastPass, LogMeOnce, and KeePassXC-Browser. Together, these password managers count tens of millions of active users.
read also
Achilles’ Heel in Password Managers Puts Millions of Passwords at Risk with just one Click
The best advice is to install the update when it becomes available. Additionally, you can disable the auto-fill function or reconfigure extension access for Chromium-based browsers. This gives users manual control over when and where the extension is active.
The researcher emphasizes that the described technique is widely applicable, and other browser extensions such as crypto wallets or note-taking extensions may also be vulnerable. Until structural security measures are built into browser platforms, clickjacking via extensions remains a real threat.