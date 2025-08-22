Geekzone: technology news, blogs, forums
ForumsGeekzoneMajor password managers can leak logins in clickjacking attacks - DefCon 33
spacedog

485 posts

Ultimate Geek


#321502 22-Aug-2025 15:24
This feels like fairly concerning news coming out of DefCon 33. Clickjacking and autofill vulnerabilities for passwords managers has been a concern for a number of years, but it seems that security researchers Marek Toth uncovered new 0-day exploits that can affect all password managers via clickjacking.  In particular, taking advantage of XSS vulnerabilities to steal user credentials with a single-click.  NordPass issued him a $10k bug bounty for his work which indicates the severity.  1Password, Lastpass, Google, iCloud, and more are all vulnerable.  The responses from 1Password and Lastpass are pretty troubling and it looks like the only real fix might require browser api changes and overhauls?

 

The devious part of this is that it can use transparent overlays and/or deceptive user dialogs (e.g. cookie notices) to get a user to invoke their password manager and autofill and expose their credentials.

 

The advice is that automatic autofill is really bad, but even manual autofill is vulnerable and even 1Password passkeys are vulnerable, too.  Marek's advice is that manual copy/paste is the only safe method now. This largely renders browser based password manager extensions vulnerable and poses a real mess means users would have to disable the core usability function for which a password manager extension even exists.  Fine for us 'geeks' who know their stuff, but trying to explain this to non-tech savvy people (e.g. your 75 year parents) looks like a real nightmare.

https://www.bleepingcomputer.com/news/security/major-password-managers-can-leak-logins-in-clickjacking-attacks/

More specifically Marek's blog post is here which has his full DefCon presentation which is worth reading - https://marektoth.com/blog/dom-based-extension-clickjacking/

 

I'm still trying to wrap my head around just how bad and serious of a problem this is. I worry not so much about myself, but my employees, family and friends who turn to me for advice on 'best practices' and I'm still a bit fuzzy on how big of a risk this is.  I think for institutional sites like financial companies that have high security standards, MFA enforced, it's a low risk. But everywhere else? Not so sure.....

wellygary
8358 posts

Uber Geek


  #3406505 22-Aug-2025 15:36
Many financials are heavily leaning on the "use hard passwords" and then "use a PW Manager to mange them"....

 

eg from KiwiBank 

 

     

  • Use strong, unique passwords that are at least 12–16 characters long. Use a mix of uppercase and lowercase letters, numbers, and special characters. Avoid common words, names and predictable sequences like “123456” or “password”.
  • To make passwords easier to remember, try using passphrases. A passphrase is a sequence of words which is longer and more complex than a traditional password, making it harder for scammers to crack. You could use your favourite line from a song or an inspiring quote.
  • Use a different password for each account to prevent a single breach from compromising multiple accounts.
  • Use a password manager. A password manager can generate, store and autofill complex passwords securely.
  • Avoid saving passwords in browsers. Browsers can be vulnerable to attacks. Use a dedicated password manager

 

 

I guess the question is... Is this exploit more risky than having Joe public going back to either easy to remember passwords, or things like writing them down on sticky notes or notebooks....



Behodar
10533 posts

Uber Geek

Trusted
Lifetime subscriber

  #3406506 22-Aug-2025 15:38
If I've understood this correctly then the issue is limited to extensions, and not the browser's built-in password manager. Does that mesh with your understanding? I'm just trying to get my head around it: the underlying issue seems to be that you can "embed" parts of extensions in a page and extract their data without the user being aware.

johno1234
2848 posts

Uber Geek


  #3406510 22-Aug-2025 15:45
Does a 2FA such as a mobile app authenticator protect against this?

