Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersMajor password managers can leak logins in clickjacking attacks - DefCon 33
spacedog

496 posts

Ultimate Geek
+1 received by user: 62


#321502 22-Aug-2025 15:24
Send private message

This feels like fairly concerning news coming out of DefCon 33. Clickjacking and autofill vulnerabilities for passwords managers has been a concern for a number of years, but it seems that security researchers Marek Toth uncovered new 0-day exploits that can affect all password managers via clickjacking.  In particular, taking advantage of XSS vulnerabilities to steal user credentials with a single-click.  NordPass issued him a $10k bug bounty for his work which indicates the severity.  1Password, Lastpass, Google, iCloud, and more are all vulnerable.  The responses from 1Password and Lastpass are pretty troubling and it looks like the only real fix might require browser api changes and overhauls?

 

The devious part of this is that it can use transparent overlays and/or deceptive user dialogs (e.g. cookie notices) to get a user to invoke their password manager and autofill and expose their credentials.

 

The advice is that automatic autofill is really bad, but even manual autofill is vulnerable and even 1Password passkeys are vulnerable, too.  Marek's advice is that manual copy/paste is the only safe method now. This largely renders browser based password manager extensions vulnerable and poses a real mess means users would have to disable the core usability function for which a password manager extension even exists.  Fine for us 'geeks' who know their stuff, but trying to explain this to non-tech savvy people (e.g. your 75 year parents) looks like a real nightmare.

https://www.bleepingcomputer.com/news/security/major-password-managers-can-leak-logins-in-clickjacking-attacks/

More specifically Marek's blog post is here which has his full DefCon presentation which is worth reading - https://marektoth.com/blog/dom-based-extension-clickjacking/

 

I'm still trying to wrap my head around just how bad and serious of a problem this is. I worry not so much about myself, but my employees, family and friends who turn to me for advice on 'best practices' and I'm still a bit fuzzy on how big of a risk this is.  I think for institutional sites like financial companies that have high security standards, MFA enforced, it's a low risk. But everywhere else? Not so sure.....

Create new topic
wellygary
8813 posts

Uber Geek
+1 received by user: 5298


  #3406505 22-Aug-2025 15:36
Send private message

Many financials are heavily leaning on the "use hard passwords" and then "use a PW Manager to mange them"....

 

eg from KiwiBank 

 

     

  • Use strong, unique passwords that are at least 12–16 characters long. Use a mix of uppercase and lowercase letters, numbers, and special characters. Avoid common words, names and predictable sequences like “123456” or “password”.
  • To make passwords easier to remember, try using passphrases. A passphrase is a sequence of words which is longer and more complex than a traditional password, making it harder for scammers to crack. You could use your favourite line from a song or an inspiring quote.
  • Use a different password for each account to prevent a single breach from compromising multiple accounts.
  • Use a password manager. A password manager can generate, store and autofill complex passwords securely.
  • Avoid saving passwords in browsers. Browsers can be vulnerable to attacks. Use a dedicated password manager

 

 

I guess the question is... Is this exploit more risky than having Joe public going back to either easy to remember passwords, or things like writing them down on sticky notes or notebooks....



Behodar
11101 posts

Uber Geek
+1 received by user: 6092

Trusted
Lifetime subscriber

  #3406506 22-Aug-2025 15:38
Send private message

If I've understood this correctly then the issue is limited to extensions, and not the browser's built-in password manager. Does that mesh with your understanding? I'm just trying to get my head around it: the underlying issue seems to be that you can "embed" parts of extensions in a page and extract their data without the user being aware.

johno1234
3357 posts

Uber Geek
+1 received by user: 2843


  #3406510 22-Aug-2025 15:45
Send private message

Does a 2FA such as a mobile app authenticator protect against this?



davidcole
6099 posts

Uber Geek
+1 received by user: 1465

Trusted

  #3406519 22-Aug-2025 16:48
Send private message

This is why I dont run a browser extension....I'm not sure I trust them.

 

I tend to use Keepassxc's auto type feature, so the only link to the browser is it interrogating the window name.




Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight 

spacedog

496 posts

Ultimate Geek
+1 received by user: 62


  #3406685 22-Aug-2025 21:32
Send private message

Behodar:

 

If I've understood this correctly then the issue is limited to extensions, and not the browser's built-in password manager. Does that mesh with your understanding? I'm just trying to get my head around it: the underlying issue seems to be that you can "embed" parts of extensions in a page and extract their data without the user being aware.

 

 

Browser based password managers like Google Chrome's Password manager are also vulnerable. The trick to this exploit is taking advantage of things like popups and 0% transparency overlays that deceive the user into invoke and 'autofilling' a hidden form/text field.  As I read it, this is the particularly devious nature of such attacks—it's 1-part Social Engineering and 1-Part Browser/Extension exploitation.  It's surprisingly simple and elegant and now that I see it, I can't believe it hasn't already been used more in-the-wild....or maybe it has (likely by state-sponsored actors).

spacedog

496 posts

Ultimate Geek
+1 received by user: 62


  #3406687 22-Aug-2025 21:35
Send private message

johno1234:

 

Does a 2FA such as a mobile app authenticator protect against this?

 

 

 

 

Nope. They show the exploit being used to intercept the TOTP (2FA code).  2FA does make it a little harder for the attacker as their exploit has to be a little more sophisticated, but it's still pretty easy for them to intercept the TOTP and gain access, but I imagine it would not be persistent in the sense that they would only gain access for the session they intercepted rather than being able to go back and login after the TOTP rotates.  You can't reverse engineer a TOTP code by intercepting one TOTP output.

 
 
 
 

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).
spacedog

496 posts

Ultimate Geek
+1 received by user: 62


  #3406688 22-Aug-2025 21:45
Send private message

wellygary:

 

Many financials are heavily leaning on the "use hard passwords" and then "use a PW Manager to mange them"....

 

eg from KiwiBank 

 

     

  • Use strong, unique passwords that are at least 12–16 characters long. Use a mix of uppercase and lowercase letters, numbers, and special characters. Avoid common words, names and predictable sequences like “123456” or “password”.
  • To make passwords easier to remember, try using passphrases. A passphrase is a sequence of words which is longer and more complex than a traditional password, making it harder for scammers to crack. You could use your favourite line from a song or an inspiring quote.
  • Use a different password for each account to prevent a single breach from compromising multiple accounts.
  • Use a password manager. A password manager can generate, store and autofill complex passwords securely.
  • Avoid saving passwords in browsers. Browsers can be vulnerable to attacks. Use a dedicated password manager

 

 

I guess the question is... Is this exploit more risky than having Joe public going back to either easy to remember passwords, or things like writing them down on sticky notes or notebooks....

 

 

Yeah, the banks are usually pretty 'hardened', but the point you raise is the exact one troubling me....how do you advise Joe Public to deal with this...this is my exact fear...it freaks people out that they go back to what they think is 'safe', making up a password that they think is strong and then using it across multiple sites and exposing themselves to credential stuffing attacks....or just going back to sticky notes.  To be honest, sticky notes and notebooks are probably the safest option in some respects because they are air-gapped.  As long as you are not worried about someone breaking into your home or the housekeeper stealing your login creds, it's a lot safer than anything stored on the computer/cloud because it requires physical access.  Idk...this feels like a real mess to me...

gzt

gzt
18689 posts

Uber Geek
+1 received by user: 7827

Lifetime subscriber

  #3406701 22-Aug-2025 23:54
Send private message

Autofill is bad. Password manager extensions with autofill are bad. It's not surprising that someone spent some time on this. After the initial there are usually followups.

gzt

gzt
18689 posts

Uber Geek
+1 received by user: 7827

Lifetime subscriber

  #3406702 22-Aug-2025 23:55
Send private message

johno1234: Does a 2FA such as a mobile app authenticator protect against this?

definitely not if user has password management configured to autofill 2fa ; ).

johno1234
3357 posts

Uber Geek
+1 received by user: 2843


  #3406733 23-Aug-2025 09:36
Send private message

What about passkeys? Need something that’s safe and remembering hundreds of distinct and complex passwords isn’t feasible.  

spacedog

496 posts

Ultimate Geek
+1 received by user: 62


  #3406735 23-Aug-2025 09:44
Send private message

gzt: Autofill is bad. Password manager extensions with autofill are bad. It's not surprising that someone spent some time on this. After the initial there are usually followups.

 

The problem is that this means browser extensions and in-built password managers are rendered useless.  The user is left with running a standalone app that is not connected to their browser and has to manually copy/paste username and password from outside the browser.  Which is not far off what people used to do...keep a word or excel file on their computer and toggle back and forth and do lots of manual copy/paste.  Which is more secure against this exploit and less secure in a bunch of other terrible ways.  It's uglier for mobile users where a lot of people live these days.  I'm still unclear on the risks of this particular vector on mobile browsers....I think it's equally bad, but there are some slight differences about how mobile works pending on the password manager...

 
 
 
 

Shop on-line at New World now for your groceries (affiliate link).
spacedog

496 posts

Ultimate Geek
+1 received by user: 62


  #3406736 23-Aug-2025 09:45
Send private message

johno1234:

 

What about passkeys? Need something that’s safe and remembering hundreds of distinct and complex passwords isn’t feasible.  

 

 

Passkeys were exploitable too in the presentation by the security researcher. They particularly sited 1Password.  It's unclear if LastPass Passkeys are equally vulnerable.

 

A password manager can still be used for the creation, storage and recall of hundreds of complex passwords, but having the convenience of browser integration with an extension or passkeys is exploitable until/if/when this gets fixed.  That actually renders passkeys as the worst option I think - manual copy/paste outside of the browser is the only thing safe was my takeaway, but I could be missing a finer point that someone smarter than me might able to make about this risk.

MadEngineer
4591 posts

Uber Geek
+1 received by user: 2570

Trusted

  #3406738 23-Aug-2025 09:57
Send private message

If you’re not properly monitoring login logs then you’re already cooked. 

 

The worst ones I’ve see so far are requests from a known contact for you to check over a document in reply to an email you’ve sent them, only to learn later that your friends email account has been taken over and that sign in you’ve just done has given someone else your 2fa and a session cookie. Now your email account is spamming all your contacts for the same. 




You're not on Atlantis anymore, Duncan Idaho.

spacedog

496 posts

Ultimate Geek
+1 received by user: 62


  #3406745 23-Aug-2025 10:28
Send private message

MadEngineer:

 

If you’re not properly monitoring login logs then you’re already cooked.  

 

 

Agreed, but that's kind of a different problem and also not practical for the normal users. Also, not all sites allow you to view login activity and IP logs. For example, you can't view your login history on Amazon and many other ecomm sites where an attacker could spend and ship lots of goods if they exploited the user.

MadEngineer
4591 posts

Uber Geek
+1 received by user: 2570

Trusted

  #3406752 23-Aug-2025 12:11
Send private message

I should have qualified that with *staff.




You're not on Atlantis anymore, Duncan Idaho.

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright