Popular Password Managers Vulnerable to Clickjacking

A new study has revealed that six of the most widely used password managers—together serving tens of millions of users—are vulnerable to clickjacking, a technique that could allow attackers to steal credentials, two-factor authentication (2FA) codes, and payment card data.

Independent security researcher Marek Tóth disclosed the findings during the DEF CON 33 conference. His research was later confirmed by experts at Socket, who assisted with notifying affected vendors and coordinating public disclosure.

The Scope of the Vulnerability

Tóth tested 11 different password managers and found that all were vulnerable to at least one form of clickjacking. The six most popular affected tools include:

• 1Password 8.11.4.27
• Bitwarden 2025.7.0
• Enpass 6.11.6 (partial fix in 6.11.4.2)
• iCloud Passwords 3.1.25
• LastPass 4.146.3
• LogMeOnce 7.12.4

Together, these managers account for around 40 million users.

How the Attack Works

Clickjacking exploits user interaction by overlaying invisible elements on top of legitimate interfaces. In this case, attackers trick victims into triggering autofill actions from password managers while believing they are clicking harmless page elements such as pop-ups, cookie banners, or CAPTCHAs.

The attack is enabled by injecting a malicious script on compromised or malicious websites. This script manipulates the DOM (Document Object Model) using techniques such as:

• Adjusting element or root transparency
• Overlaying parent elements
• Creating partial or full-page overlays
• Tracking mouse movements so that any click triggers autofill

Once executed, the password manager automatically inserts sensitive data into attacker-controlled fields.

Tóth demonstrated that malicious scripts can even detect which password manager is active in the victim’s browser and adapt the attack in real time.

Vendor Responses

Tóth first reported the vulnerabilities to vendors in April 2025, warning that public disclosure would follow at DEF CON. Despite this, responses were mixed:

• 1Password called the findings “informative,” arguing that clickjacking is a well-known web threat beyond the full control of browser extensions.
• LastPass also labeled the report “informative” but highlighted existing mitigations such as pop-up notifications before autofilling payment details.
• Bitwarden acknowledged the issue, implemented fixes in version 2025.8.0, and stressed that the bugs were not considered critical.
• LogMeOnce did not respond until media coverage forced a statement, after which it confirmed a patch was in progress.
• Enpass rolled out partial fixes in version 6.11.4.2.

Other password managers, including Dashlane (v6.2531.1 released August 1), NordPass, ProtonPass, RoboForm, and Keeper (17.2.0 released in July), have already patched similar issues.

Mitigation and Recommendations

Tóth and Socket recommend that users disable autofill in their password managers and instead copy and paste credentials manually to reduce exposure.

“This is a long-known web attack technique that affects websites and browser extensions in general. Since the underlying issue lies in how browsers render web pages, we believe there is no comprehensive technical fix that browser extensions can implement on their own,” 1Password explained, noting that its extension already requires confirmation before autofilling payment data.