Browser-based password managers unpatched clickjacking flaws security flaw
Vulnerability
Summary
Hide ▲
Show ▼
Researchers verified unpatched clickjacking flaws in browser-based password managers, putting tens of millions of users at risk of leaked credentials, 2FA codes, and credit card details.
Related Happenings
LastPass customer password vault backups exposed
Data Leak
First: 05.01.2026 11:30
Last: 05.01.2026 11:30
Sources 1
About this happening:
The **2022 LastPass data leak** exposed backups of about **30 million customer password vaults**, leaving more than **25 million users** with a **long-tail risk** of offline crack...
LastPass customer password vault backups exposed
Data LeakAbout this happening: The **2022 LastPass data leak** exposed backups of about **30 million customer password vaults**, leaving more than **25 million users** with a **long-tail risk** of offline crack...
1Password and Browserbase launch Secure Agentic Autofill for AI browser-agent authentication
Security Tool/Service
First: 11.10.2025 00:27
Last: 11.10.2025 00:27
Sources 1
About this happening:
**1Password** and **Browserbase** launched **Secure Agentic Autofill**, a new security capability that helps **AI browser agents** authenticate without exposing credentials. The l...
1Password and Browserbase launch Secure Agentic Autofill for AI browser-agent authentication
Security Tool/ServiceAbout this happening: **1Password** and **Browserbase** launched **Secure Agentic Autofill**, a new security capability that helps **AI browser agents** authenticate without exposing credentials. The l...
Password manager browser add-ons DOM-based extension clickjacking security flaw
Vulnerability
First: 20.08.2025 20:54
Last: 20.08.2025 20:54
Sources 1
About this happening:
**11 password manager browser add-ons** were shown vulnerable to **DOM-based extension clickjacking**, enabling a **single click** on attacker-controlled content to trigger auto-f...
Password manager browser add-ons DOM-based extension clickjacking security flaw
VulnerabilityAbout this happening: **11 password manager browser add-ons** were shown vulnerable to **DOM-based extension clickjacking**, enabling a **single click** on attacker-controlled content to trigger auto-f...
Latest development: 29.08.2025 12:58
Click Studios released Passwordstate 9.9 (Build 9972) on August 28, 2025 to fix a high-severity authentication bypass against the core Passwordstate Products' Emergency Access page and added protections against potential clickjacking attacks in the browser extension, likely in response to DOM-based extension clickjacking findings affecting password manager browser add-ons.
Timeline
-
20.08.2025 17:49 1 articles · 9mo ago
Browser-based password managers unpatched clickjacking flaws security flaw
Initial DisclosureAt **DEF CON 33**, researcher **Marek Tóth** disclosed a set of **clickjacking flaws** in **browser-based password managers** that could force autofill and reveal stored secrets.
Show sources
- Major password managers can leak logins in clickjacking attacks — www.bleepingcomputer.com — 20.08.2025 17:49