Browser-based password managers unpatched clickjacking flaws security flaw
Vulnerability
Summary
Hide ▲
Show ▼
Researchers verified unpatched clickjacking flaws in browser-based password managers, putting tens of millions of users at risk of leaked credentials, 2FA codes, and credit card details.
Related Happenings
LastPass customer password vault backups exposed
Data Leak
H score71
First: 05.01.2026 11:30
Last: 05.01.2026 11:30
Sources 1
About this happening:
The **2022 LastPass data leak** exposed backups of about **30 million customer password vaults**, leaving more than **25 million users** with a **long-tail risk** of offline crack...
LastPass customer password vault backups exposed
Data LeakAbout this happening: The **2022 LastPass data leak** exposed backups of about **30 million customer password vaults**, leaving more than **25 million users** with a **long-tail risk** of offline crack...
1Password and Browserbase launch Secure Agentic Autofill for AI browser-agent authentication
Security Tool/Service
H score12
First: 11.10.2025 00:27
Last: 11.10.2025 00:27
Sources 1
About this happening:
**1Password** and **Browserbase** launched **Secure Agentic Autofill**, a new security capability that helps **AI browser agents** authenticate without exposing credentials. The l...
1Password and Browserbase launch Secure Agentic Autofill for AI browser-agent authentication
Security Tool/ServiceAbout this happening: **1Password** and **Browserbase** launched **Secure Agentic Autofill**, a new security capability that helps **AI browser agents** authenticate without exposing credentials. The l...
Password manager browser add-ons DOM-based extension clickjacking security flaw
Vulnerability
H score65
First: 20.08.2025 20:54
Last: 20.08.2025 20:54
Sources 1
About this happening:
**11 password manager browser add-ons** were shown vulnerable to **DOM-based extension clickjacking**, enabling a **single click** on attacker-controlled content to trigger auto-f...
Password manager browser add-ons DOM-based extension clickjacking security flaw
VulnerabilityAbout this happening: **11 password manager browser add-ons** were shown vulnerable to **DOM-based extension clickjacking**, enabling a **single click** on attacker-controlled content to trigger auto-f...
Latest development: 29.08.2025 12:58
Click Studios released Passwordstate 9.9 (Build 9972) on August 28, 2025 to fix a high-severity authentication bypass against the core Passwordstate Products' Emergency Access page and added protections against potential clickjacking attacks in the browser extension, likely in response to DOM-based extension clickjacking findings affecting password manager browser add-ons.
Timeline
-
20.08.2025 17:49 1 articles · 10mo ago
Browser-based password managers unpatched clickjacking flaws security flaw
Initial DisclosureAt **DEF CON 33**, researcher **Marek Tóth** disclosed a set of **clickjacking flaws** in **browser-based password managers** that could force autofill and reveal stored secrets.
Show sources
- Major password managers can leak logins in clickjacking attacks — www.bleepingcomputer.com — 20.08.2025 17:49