CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Clickjacking vulnerabilities in major password managers

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

Six major password managers are vulnerable to unpatched clickjacking flaws that could allow attackers to steal account credentials, 2FA codes, and credit card details. The vulnerabilities, dubbed DOM-based extension clickjacking, can be exploited when users visit malicious pages or sites vulnerable to cross-site scripting (XSS) or cache poisoning, where attackers overlay invisible HTML elements over the password manager interface. Users may unknowingly trigger autofill actions that leak sensitive information. The flaws were presented at DEF CON 33 by independent researcher Marek TΓ³th and verified by Socket. Affected password managers include 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce. Bitwarden has released a fix, but patches are not yet available for all products. Users are advised to disable the auto-fill function and use copy/paste until fixes are available.

Timeline

  1. 20.08.2025 20:54 πŸ“° 1 articles Β· ⏱ 27d ago

    Bitwarden releases patch for DOM-based extension clickjacking

    Bitwarden has released version 2025.8.0 to address the clickjacking vulnerabilities. Users are advised to update their password managers and stay alert for phishing campaigns to avoid malicious websites. Bitwarden, Enpass, and iCloud Passwords are actively working on fixes, while 1Password and LastPass marked them as informative.

    Show sources
    Open in new tab
  2. 20.08.2025 17:49 πŸ“° 2 articles Β· ⏱ 27d ago

    Clickjacking vulnerabilities in major password managers disclosed at DEF CON 33

    The vulnerabilities are dubbed DOM-based extension clickjacking. The flaws allow attackers to overlay invisible HTML elements over the password manager interface, potentially stealing sensitive information. The technique involves manipulating UI elements in a web page that browser extensions inject into the DOM. The research focused on 11 popular password manager browser add-ons, all of which were found susceptible. The attack can be executed by creating a fake site with an intrusive pop-up and an invisible login form, allowing attackers to steal sensitive information with a single click. Bitwarden has released a fix, but patches are not yet available for all products. Users are advised to disable the auto-fill function and use copy/paste until fixes are available.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Cursor AI editor autoruns malicious code in repositories

A flaw in the Cursor AI code editor allows malicious repositories to execute arbitrary code automatically when opened. This vulnerability can lead to malware installation, environment hijacking, and credential theft. Cursor, an AI-powered IDE based on Visual Studio Code, disables the Workspace Trust feature by default, allowing this behavior. The flaw affects one million users who generate over a billion lines of code daily. Cursor developers have decided not to fix the issue, citing the need to maintain AI and other features. The vulnerability is part of a broader trend of prompt injections and jailbreaks affecting AI-powered coding and reasoning agents, which can embed malicious instructions to perform harmful actions or leak data.

Open in new tab

Microsoft September 2025 Patch Tuesday fixes 81 vulnerabilities, including two zero-days

Microsoft released updates for 80 vulnerabilities on September 2025 Patch Tuesday. None of these vulnerabilities were zero-days. The updates address eight critical flaws, including five remote code execution vulnerabilities, one information disclosure, and two elevation of privilege vulnerabilities. The vulnerabilities span various categories: 38 elevation of privilege, 2 security feature bypass, 22 remote code execution, 14 information disclosure, 3 denial of service, and 1 spoofing. One zero-day vulnerability was fixed in Windows SMB Server. The updates also include hardening features for SMB Server to mitigate relay attacks, with recommendations for administrators to enable auditing. The patch includes 38 elevation of privilege vulnerabilities, the highest number among all categories. CVE-2025-54918 is an EoP vulnerability in Windows NT LAN Manager (NTLM) marked as critical. CVE-2025-54111 and CVE-2025-54913 are EoP flaws in Windows UI XAML, allowing privilege escalation via phished credentials or malicious Microsoft Store apps. CVE-2025-55232 is an RCE vulnerability in the Microsoft High Performance Compute (HPC) Pack with a CVSS score of 9.8. CVE-2025-54916 is an RCE vulnerability in Windows NTFS that can be triggered by authenticated users. Microsoft's patch update includes recommendations for preparing for the end-of-life of Windows 10 and mandatory multifactor authentication (MFA) for Azure in October 2025.

Open in new tab

Critical SessionReaper flaw in Adobe Commerce and Magento Open Source patched

Adobe has patched a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms, dubbed SessionReaper. The flaw could allow unauthenticated attackers to take control of customer accounts via the Commerce REST API. The vulnerability was disclosed to selected customers on September 4, 2025, with a patch released on September 9, 2025. Adobe Commerce on Cloud users were protected by a WAF rule until the patch was available. The flaw is considered one of the most severe in the history of the platform, potentially leading to session forging, privilege escalation, and code execution. No exploitation in the wild has been reported, but a hotfix was leaked, which could accelerate exploitation attempts. The vulnerability impacts various versions of Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Custom Attributes Serializable module. Adobe has also patched a critical path traversal vulnerability in ColdFusion (CVE-2025-54261).

Open in new tab

Active Exploitation of FreePBX Zero-Day Vulnerability CVE-2025-57819

A zero-day vulnerability in FreePBX, identified as CVE-2025-57819, is being actively exploited. The flaw allows unauthenticated access to the FreePBX Administrator, leading to arbitrary database manipulation and remote code execution. The vulnerability affects specific versions of FreePBX, and exploitation began on or before August 21, 2025. Sangoma has released emergency patches for the vulnerability. Users are advised to update to the latest versions, restrict public access to the administrator control panel, and follow additional security recommendations. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-57819 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply patches by September 19, 2025.

Open in new tab

Apple patches Image I/O zero-day exploited in targeted attacks

Apple has released emergency updates to fix a zero-day vulnerability (CVE-2025-43300) in the Image I/O framework. The flaw, an out-of-bounds write issue, was exploited in "extremely sophisticated" targeted attacks against specific individuals. The vulnerability affects multiple iOS, iPadOS, and macOS versions and devices. Apple has not attributed the discovery to a specific researcher or provided details about the attacks. The flaw allows attackers to exploit the vulnerability by supplying malicious input, potentially leading to remote code execution. Affected devices include various iPhone, iPad, and Mac models running specific versions of iOS, iPadOS, and macOS. The flaw was discovered internally by Apple and addressed with improved bounds checking. The vulnerability has been exploited as part of highly targeted attacks. Users are advised to install the updates promptly to mitigate potential ongoing attacks. CERT-FR has reported at least four instances of Apple threat notifications alerting users about mercenary spyware attacks since the beginning of the year. The attacks target individuals based on their status or function, including journalists, lawyers, activists, politicians, and senior officials. Apple has sent threat notifications to users in over 150 countries since 2021. Apple has backported fixes for the vulnerability to older versions of iOS, iPadOS, and macOS, including iOS 16.7.12, iPadOS 16.7.12, iOS 15.8.5, and iPadOS 15.8.5. The updates also address multiple other security flaws in various Apple products. The flaw was chained with a WhatsApp zero-click vulnerability (CVE-2025-55177) in targeted attacks. The attacks were described as "extremely sophisticated" by Apple and WhatsApp. Samsung also patched a remote code execution vulnerability chained with the CVE-2025-55177 WhatsApp flaw in zero-day attacks targeting its Android devices.

Open in new tab