CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Clickjacking flaws in multiple password managers

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

Six major password managers have unpatched clickjacking vulnerabilities that could allow attackers to steal account credentials, 2FA codes, and credit card details. The flaws were demonstrated at DEF CON 33 by independent researcher Marek TΓ³th. Affected password managers include 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce. The attack exploits browser-based autofill features, overlaying invisible HTML elements to trick users into leaking sensitive information. The vulnerabilities were disclosed to vendors in April 2025, with public disclosure planned for August 2025. Some vendors have acknowledged the issues but downplayed their severity. Bitwarden has released a patch, version 2025.8.0, to address the vulnerabilities. Users are advised to disable autofill and use copy/paste until fixes are available.

Timeline

  1. 20.08.2025 20:54 πŸ“° 1 articles

    Bitwarden releases patch for clickjacking vulnerabilities

    Bitwarden has released version 2025.8.0 to address the clickjacking vulnerabilities. Users are advised to update their password managers and configure site access to 'on click' in extension settings for Chromium-based browsers. The attack can steal various types of sensitive information, including credit card details, personal data, login credentials, and TOTP codes. The attack can be executed with a single click on an attacker-controlled website.

    Show sources
    Open in new tab
  2. 20.08.2025 17:49 πŸ“° 2 articles

    Clickjacking flaws in multiple password managers disclosed at DEF CON 33

    Six major password managers were found to have unpatched clickjacking vulnerabilities that could allow attackers to steal account credentials, 2FA codes, and credit card details. The flaws were demonstrated at DEF CON 33 by independent researcher Marek TΓ³th. Affected password managers include 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce. The vulnerabilities were disclosed to vendors in April 2025, with public disclosure planned for August 2025. The attack technique is dubbed DOM-based extension clickjacking and involves making UI elements invisible by setting their opacity to zero. The research focused on 11 popular password manager browser add-ons.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical SessionReaper vulnerability patched in Adobe Commerce and Magento Open Source

Adobe has patched a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms, dubbed SessionReaper. This flaw, with a CVSS score of 9.1, could allow unauthenticated attackers to take control of customer accounts via the Commerce REST API. The patch was released on September 9, 2025, following an emergency notification to selected customers on September 4, 2025. Adobe Commerce on Cloud customers were already protected by a WAF rule deployed as an interim measure. The vulnerability is considered one of the most severe in the platform's history, with potential for widespread exploitation. Administrators are advised to apply the patch immediately, as it disables certain internal Magento functionalities that may affect custom or external code. The affected versions include Adobe Commerce 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, and 2.4.4-p15 and earlier. The affected versions also include Adobe Commerce B2B 1.5.3-alpha2 and earlier, 1.5.2-p2 and earlier, 1.4.2-p7 and earlier, 1.3.4-p14 and earlier, and 1.3.3-p15 and earlier. The affected versions include Magento Open Source 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, and 2.4.5-p14 and earlier. The Custom Attributes Serializable module versions 0.1.0 to 0.4.0 are also affected.

Open in new tab

Active Exploitation of FreePBX Zero-Day Vulnerability CVE-2025-57819

A zero-day vulnerability in FreePBX, identified as CVE-2025-57819, is actively exploited in the wild. The flaw allows unauthenticated access to the FreePBX Administrator, leading to arbitrary database manipulation and remote code execution. The vulnerability affects versions 15, 16, and 17 of FreePBX. Exploitation began on or before August 21, 2025, targeting systems with inadequate IP filtering or access control lists (ACLs). Users are advised to upgrade to the latest supported versions and restrict public access to the administrator control panel. Sangoma has released patches for the vulnerability and provided indicators-of-compromise (IOCs) to help administrators detect exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply fixes by September 19, 2025.

Open in new tab

Citrix NetScaler ADC and Gateway vulnerabilities actively exploited

Citrix has released patches for three vulnerabilities in NetScaler ADC and NetScaler Gateway. One of these vulnerabilities, CVE-2025-7775, is a zero-day flaw actively exploited in the wild. The flaws affect various configurations and can lead to remote code execution, denial-of-service, or improper access control. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-7775 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to remediate the flaw within 48 hours. The vulnerabilities were discovered by security researchers Jimi Sebree, Jonathan Hetzer, and François HÀmmerli. Nearly 20% of NetScaler assets identified are on unsupported, end-of-life versions, primarily in North America and the APAC region.

Open in new tab

Apple zero-day flaw in Image I/O framework exploited in targeted attacks

Apple has patched a zero-day vulnerability in the Image I/O framework (CVE-2025-43300) exploited in targeted attacks. The flaw, an out-of-bounds write issue, could lead to memory corruption or remote code execution. The vulnerability affects multiple iOS, iPadOS, and macOS versions. Apple has released updates for iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8. The flaw was exploited in sophisticated attacks against specific individuals. The vulnerability impacts a wide range of devices, including iPhone XS and later, various iPad models, and Macs running macOS Sequoia, Sonoma, and Ventura. Users are advised to update their devices immediately to mitigate the risk. The flaw was discovered internally by Apple and addressed with improved bounds checking. Apple has fixed a total of seven zero-days exploited in real-world attacks since the start of the year. The attacker's identity and specific targets remain unknown, but the vulnerability was likely weaponized as part of highly targeted attacks. The attacks have been described as 'extremely sophisticated,' suggesting nation-state involvement or spyware activity. Apple has previously disclosed other zero-day vulnerabilities this year, including CVE-2025-24200 and CVE-2025-43200, which were also exploited in targeted attacks. WhatsApp has patched a security vulnerability in its iOS and macOS messaging clients that was exploited in targeted zero-day attacks. The flaw (tracked as CVE-2025-55177) affects WhatsApp for iOS prior to version 2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78. The vulnerability, in combination with the Apple zero-day flaw (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users. The flaw is an insufficient authorization of linked device synchronization messages. WhatsApp has notified an unspecified number of individuals that they believe were targeted by an advanced spyware campaign in the past 90 days using CVE-2025-55177. The attacks impacted both iPhone and Android users, including civil society individuals. WhatsApp sent in-app threat notifications to less than 200 users who may have been targeted as part of the campaign. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the WhatsApp vulnerability (CVE-2025-55177) to its Known Exploited Vulnerabilities (KEV) catalog. The WhatsApp flaw was exploited as part of a highly-targeted spyware campaign by chaining it with the Apple zero-day flaw (CVE-2025-43300). Federal Civilian Executive Branch (FCEB) agencies are advised to apply the necessary mitigations by September 23, 2025, for both the vulnerabilities to counter active threats.

Open in new tab

Microsoft ADFS Redirects Exploited for Credential Phishing

Hackers have been using legitimate ADFS redirects to steal Microsoft 365 logins. The attack begins with a malicious sponsored link in Google search results, leading to a phishing page through a chain of trusted redirects. The technique bypasses traditional URL-based detection and multi-factor authentication. The phishing page is only accessible to targets deemed valid by the attacker. The attackers set up a custom Microsoft tenant with ADFS configured to receive authorization requests from a malicious domain, which then redirects to the phishing page. The phishing site is disguised with fake blog posts to appear legitimate to automated scanners. The attack does not target specific industries or job roles and may be part of broader experimentation with new phishing techniques.

Open in new tab