Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Password manager browser add-ons DOM-based extension clickjacking security flaw

Vulnerability
First reported
Last updated
Happening score
H score 30
1 unique sources, 2 articles

Summary

Hide ▲

11 password manager browser add-ons were shown vulnerable to DOM-based extension clickjacking, enabling a single click on attacker-controlled content to trigger auto-fill abuse. The flaw can expose account credentials, TOTP/2FA codes, credit card details, and in some cases passkeys. The issue was disclosed at DEF CON 33 and affects add-ons from 1Password through iCloud Passwords. Bitwarden 2025.8.0 has a fix, while several other vendors had not yet released patches.

Related Happenings

Bitwarden adds passkey login for Windows 11 sign-in

Security Tool/Service
First: 05.03.2026 00:34 Last: 05.03.2026 00:34 Sources 1

About this happening: **Bitwarden** added **passkey login** for **Windows 11**, expanding passwordless sign-in and reducing phishing exposure for users who store credentials in the vault.

Open Happening

1Password adds phishing-URL pop-up warnings to block credential theft

Security Tool/Service
First: 25.01.2026 17:17 Last: 25.01.2026 17:17 Sources 1

About this happening: **1Password** has added built-in protection against **phishing URLs**, helping users avoid **credential theft** on malicious login pages. The update adds a **pop-up warning** when...

Open Happening

LastPass customer password vault backups exposed

Data Leak
First: 05.01.2026 11:30 Last: 05.01.2026 11:30 Sources 1

About this happening: The **2022 LastPass data leak** exposed backups of about **30 million customer password vaults**, leaving more than **25 million users** with a **long-tail risk** of offline crack...

Open Happening

CryptoChameleon LastPass vault-access phishing campaign

Campaign
First: 24.10.2025 17:47 Last: 24.10.2025 17:47 Sources 1

About this happening: A **CryptoChameleon (UNC5356)** phishing campaign is using fake **LastPass inheritance requests** to trick users into handing over vault credentials and passkeys. The operation be...

Open Happening

1Password and Browserbase launch Secure Agentic Autofill for AI browser-agent authentication

Security Tool/Service
First: 11.10.2025 00:27 Last: 11.10.2025 00:27 Sources 1

About this happening: **1Password** and **Browserbase** launched **Secure Agentic Autofill**, a new security capability that helps **AI browser agents** authenticate without exposing credentials. The l...

Open Happening

Timeline

  1. 29.08.2025 12:58 1 articles · 9mo ago

    Passwordstate 9.9 fixes authentication bypass and adds clickjacking protections

    Mitigation Patch Update

    Click Studios released Passwordstate 9.9 (Build 9972) on August 28, 2025 to fix a high-severity authentication bypass against the core Passwordstate Products' Emergency Access page and added protections against potential clickjacking attacks in the browser extension, likely in response to DOM-based extension clickjacking findings affecting password manager browser add-ons.

    Show sources
    Open in new tab
  2. 20.08.2025 20:54 1 articles · 9mo ago

    Password manager browser add-ons exposed to DOM-based extension clickjacking

    Initial Disclosure

    Marek Tóth disclosed DOM-based extension clickjacking at DEF CON 33, showing that 11 popular password manager browser add-ons, including 1Password and Apple iCloud Passwords, can be abused with a single click on attacker-controlled content to auto-fill and exfiltrate credentials, TOTP/2FA codes, credit card details, and in some scenarios passkeys. Socket said Bitwarden, Enpass, and iCloud Passwords were actively working on fixes, 1Password and LastPass marked the findings informative, US-CERT was contacted for CVE assignment, and Bitwarden released 2025.8.0 to address the vulnerability.

    Show sources
    Open in new tab