Authentication Bypass in Passwordstate Emergency Access Page
Summary
Hide ▲
Show ▼
Click Studios released security updates for Passwordstate to fix an authentication bypass vulnerability in the Emergency Access page. The flaw, not yet assigned a CVE, could allow attackers to bypass authentication using a crafted URL. The update also includes protections against clickjacking attacks on the browser extension. Passwordstate is used by 29,000 customers and 370,000 security and IT professionals across various sectors. The vulnerability was discovered by security researcher Marek Tóth, who detailed a DOM-based extension clickjacking technique affecting multiple password manager browser add-ons. The update also addresses potential clickjacking attacks on the browser extension.
Timeline
-
29.08.2025 12:58 1 articles · 1mo ago
Click Studios patches Passwordstate authentication bypass in Emergency Access page
Click Studios released Passwordstate 9.9 (Build 9972) on August 28, 2025, to address an authentication bypass vulnerability in the Emergency Access page. The update also includes protections against clickjacking attacks on the browser extension, discovered by security researcher Marek Tóth.
Show sources
- Click Studios Patches Passwordstate Authentication Bypass Vulnerability in Emergency Access Page — thehackernews.com — 29.08.2025 12:58
Information Snippets
-
Passwordstate 9.9 (Build 9972) addresses an authentication bypass vulnerability in the Emergency Access page.
First reported: 29.08.2025 12:581 source, 1 articleShow sources
- Click Studios Patches Passwordstate Authentication Bypass Vulnerability in Emergency Access Page — thehackernews.com — 29.08.2025 12:58
-
The vulnerability allows attackers to bypass authentication using a crafted URL.
First reported: 29.08.2025 12:581 source, 1 articleShow sources
- Click Studios Patches Passwordstate Authentication Bypass Vulnerability in Emergency Access Page — thehackernews.com — 29.08.2025 12:58
-
The update includes protections against clickjacking attacks on the browser extension.
First reported: 29.08.2025 12:581 source, 1 articleShow sources
- Click Studios Patches Passwordstate Authentication Bypass Vulnerability in Emergency Access Page — thehackernews.com — 29.08.2025 12:58
-
Passwordstate is used by 29,000 customers and 370,000 security and IT professionals.
First reported: 29.08.2025 12:581 source, 1 articleShow sources
- Click Studios Patches Passwordstate Authentication Bypass Vulnerability in Emergency Access Page — thehackernews.com — 29.08.2025 12:58
-
The vulnerability was discovered by security researcher Marek Tóth.
First reported: 29.08.2025 12:581 source, 1 articleShow sources
- Click Studios Patches Passwordstate Authentication Bypass Vulnerability in Emergency Access Page — thehackernews.com — 29.08.2025 12:58
-
Tóth detailed a DOM-based extension clickjacking technique affecting multiple password manager browser add-ons.
First reported: 29.08.2025 12:581 source, 1 articleShow sources
- Click Studios Patches Passwordstate Authentication Bypass Vulnerability in Emergency Access Page — thehackernews.com — 29.08.2025 12:58
-
The update addresses potential clickjacking attacks on the browser extension.
First reported: 29.08.2025 12:581 source, 1 articleShow sources
- Click Studios Patches Passwordstate Authentication Bypass Vulnerability in Emergency Access Page — thehackernews.com — 29.08.2025 12:58
Similar Happenings
Command injection flaw in Libraesva ESG exploited by state actors
Libraesva has released an emergency update for its Email Security Gateway (ESG) solution to address a command injection vulnerability (CVE-2025-59689). This flaw, exploited by a state-sponsored actor, allows arbitrary shell command execution via a crafted email attachment. The vulnerability affects all versions from 4.5 onwards and has been patched in versions 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7. The exploit was discovered and patched within 17 hours of detection. The vulnerability is triggered by improper sanitization of compressed archive formats, enabling non-privileged users to execute arbitrary commands. The patch includes a sanitization fix, automated scans for indicators of compromise, and a self-assessment module to verify the update's application. The vulnerability has a CVSS score of 6.1, indicating medium severity. Libraesva has identified one confirmed incident of abuse by a foreign hostile state entity. Customers using versions below 5.0 must upgrade manually to a supported release, as they have reached end-of-life and will not receive a patch for CVE-2025-59689.
Malicious npm package 'fezbox' uses QR codes to deliver cookie-stealing malware
A malicious npm package named 'fezbox' was discovered using QR codes to fetch and execute cookie-stealing malware. The package, disguised as a utility library, was downloaded at least 327 times before being removed from the npm registry. The malware targets user credentials and employs steganographic techniques to evade detection. The package was found to fetch a JPG image containing a QR code, which then executes a second-stage payload. The QR code is designed to be unusually dense and difficult to read with standard phone cameras, making it harder to detect. The package was published by a Chinese-speaking attacker using the alias 'janedu' and included multiple layers of obfuscation to evade detection. The malware specifically targets cookies to steal usernames and passwords, sending the stolen information via an HTTPS POST request to a command-and-control server. The package was removed and flagged as malware posing a supply-chain risk. The attacker's activity status on the npm registry remains unclear. The package's ReadMe mentioned a QR Code Module, making its existence seem legitimate. The package used reversed strings as an anti-analysis technique. The payload could read a web cookie and extract the username and password if both were present.
Critical SessionReaper flaw in Adobe Commerce and Magento Open Source patched
Adobe has patched a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms, dubbed SessionReaper. The flaw, with a CVSS score of 9.1, allows unauthenticated attackers to take control of customer accounts through the Commerce REST API. The patch was released on September 9, 2025, following an emergency notification to selected customers on September 4, 2025. No exploitation in the wild has been reported, but a hotfix leak may have provided threat actors with an advantage. Adobe Commerce on Cloud customers are already protected by a WAF rule. The patch disables certain internal Magento functionalities, potentially affecting custom or external code. The vulnerability impacts multiple versions of Adobe Commerce, Adobe Commerce B2B, and Magento Open Source, as well as the Custom Attributes Serializable module.
GPUGate Malware Campaign Targets IT Firms in Western Europe
A sophisticated malware campaign, codenamed GPUGate, targets IT and software development companies in Western Europe, with recent expansions to macOS users. The campaign leverages Google Ads, SEO poisoning, and fake GitHub commits to deliver malware, including the Atomic macOS Stealer (AMOS). The attack began in December 2024 and uses a 128 MB Microsoft Software Installer (MSI) to evade detection. The malware employs GPU-gated decryption and various techniques to avoid analysis and detection. The end goal is information theft and delivery of secondary payloads. The threat actors have native Russian language proficiency and use a cross-platform approach. The campaign has expanded to target macOS users through fake GitHub repositories. These repositories impersonate popular tools and use SEO poisoning to distribute the Atomic Stealer malware. The threat actors use multiple GitHub usernames to evade takedowns and deploy malware via Terminal commands. Similar tactics have been observed in previous campaigns using malicious Google Ads and public GitHub repositories. The AMOS malware now includes a backdoor component for persistent, stealthy access to compromised systems. The campaign impersonates over 100 software solutions, including 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025.
Supply Chain Attack Targets npm Packages with Over 2.6 Billion Weekly Downloads
A supply chain attack involving multiple npm packages with over 2.6 billion weekly downloads has been discovered. The attack, which began in April 2025, involved the injection of malicious code into npm packages after compromising a maintainer's account via a phishing attack. The malicious code targets cryptocurrency wallets, including Atomic and Exodus, and redirects transactions to addresses controlled by threat actors. The attack has now expanded to include additional maintainers and packages, further broadening its impact. The attack impacted roughly 10% of all cloud environments, but the attackers made little profit. The malicious packages were removed within two hours of the attack, and the injected code targeted browser environments, hooking Ethereum and Solana signing requests. The attack was discovered and mitigated quickly, preventing more severe security incidents. The attack follows a series of similar incidents targeting JavaScript libraries, emphasizing the ongoing threat to the npm ecosystem and the broader supply chain. The compromised packages include popular ones such as ansi-regex, ansi-styles, chalk, debug, and others, collectively attracting over 2 billion weekly downloads. The malicious code operates by intercepting network traffic and application APIs, targeting various cryptocurrencies including Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash.