This feels like fairly concerning news coming out of DefCon 33. Clickjacking and autofill vulnerabilities for passwords managers has been a concern for a number of years, but it seems that security researchers Marek Toth uncovered new 0-day exploits that can affect all password managers via clickjacking. In particular, taking advantage of XSS vulnerabilities to steal user credentials with a single-click. NordPass issued him a $10k bug bounty for his work which indicates the severity. 1Password, Lastpass, Google, iCloud, and more are all vulnerable. The responses from 1Password and Lastpass are pretty troubling and it looks like the only real fix might require browser api changes and overhauls?

The devious part of this is that it can use transparent overlays and/or deceptive user dialogs (e.g. cookie notices) to get a user to invoke their password manager and autofill and expose their credentials.

The advice is that automatic autofill is really bad, but even manual autofill is vulnerable and even 1Password passkeys are vulnerable, too. Marek's advice is that manual copy/paste is the only safe method now. This largely renders browser based password manager extensions vulnerable and poses a real mess means users would have to disable the core usability function for which a password manager extension even exists. Fine for us 'geeks' who know their stuff, but trying to explain this to non-tech savvy people (e.g. your 75 year parents) looks like a real nightmare.



https://www.bleepingcomputer.com/news/security/major-password-managers-can-leak-logins-in-clickjacking-attacks/



More specifically Marek's blog post is here which has his full DefCon presentation which is worth reading - https://marektoth.com/blog/dom-based-extension-clickjacking/





I'm still trying to wrap my head around just how bad and serious of a problem this is. I worry not so much about myself, but my employees, family and friends who turn to me for advice on 'best practices' and I'm still a bit fuzzy on how big of a risk this is. I think for institutional sites like financial companies that have high security standards, MFA enforced, it's a low risk. But everywhere else? Not so sure.....