Abstract illustration of password manager clickjacking showing digital devices and shield icons representing stolen credentials

Password Manager Clickjacking: DOM-Based Attack Exposes Auto-Fill Secrets

by

RedSecNinja
in

A neA newly disclosed browser attack shows how even trusted password managers can be tricked into handing over your secrets. Security researchers have uncovered a DOM-based clickjacking technique that hides critical extension prompts behind fake UI elements, allowing attackers to exfiltrate usernames, passwords, and even one-time codes in a single click. This news highlights the need to balance convenience with vigilance.

How the Attack Works

  • Lure and load: The attacker lures a victim to a malicious website and secretly loads a legitimate login page inside an invisible iframe【644980860613475†L61-L132】.
  • Decoy overlay: Using custom CSS and JavaScript, the attacker positions a fake login form over the real one and hides the password manager’s pop-up window. The user sees a normal-looking field but can’t tell the extension prompt is suppressed.
  • Auto-fill and capture: When the user clicks the decoy button, the password manager auto-fills credentials and Time of Use codes. The site intercepts the DOM events, reads the auto-filled values and session cookies, and immediately sends them to the attacker’s server【644980860613475†L61-L132】.
  • Session hijacking: With valid username, password and MFA code, the attacker can log in instantly and even bypass multi-factor protections by replaying stolen session cookies.

Impacted Password Managers

Researchers tested 11 popular password manager browser extensions and found them vulnerable to some form of DOM-based clickjacking. Affected extensions include:

  • 1Password
  • Apple iCloud Passwords
  • Bitwarden
  • Dashlane
  • Enpass
  • Keeper
  • LastPass
  • LogMeOnce
  • NordPass
  • Proton Pass
  • RoboForm【644980860613475†L61-L132】

The attack works across Chromium-based and Firefox browsers. All vendors were notified, and many have since released updates or mitigations.

Mitigation and Best Practices

  • Disable auto-fill: Turn off automatic filling of credentials by default, or configure your extension to require a click on the browser toolbar before filling.
  • Use biometrics or a desktop app: Where possible, use a desktop password manager application or require biometric unlock instead of silent autofill.
  • Keep MFA separate: Generate one-time passwords in a dedicated authenticator app or hardware token rather than inside the password manager.
  • Update and monitor: Keep your extensions up to date and watch vendor advisories for patches addressing clickjacking techniques.
  • Inspect suspicious pages: If anything about a login page seems unusual—hidden fields, misaligned forms, or blocked keyboard input—don’t proceed. Close the page and notify your IT team or service provider.

Conclusion

Password managers remain one of the best tools for securely storing and generating unique credentials. However, convenience features like auto-fill can become a liability when abused by clever attackers. DOM-based clickjacking shows that a single misplaced click could disclose your entire vault. Users should review their browser extension settings, disable automatic filling where possible, and keep MFA codes in separate applications. Vendors are releasing fixes, but until then, awareness is your best defense.

Sources

The Hacker News article on password manager clickjacking and affected vendors【644980860613475†L61-L132】wly disclosed browser attack shows how even trusted password managers can be tricked into handing over your secrets. Security researchers have uncovered a DOM-based clickjacking technique that hides critical extension prompts behind fake UI elements, allowing attackers to exfiltrate usernames, passwords, and even one-time codes in a single click. This news highlights the need to balance convenience with vigilance.

How the Attack Works

  • Lure and load: The attacker lures a victim to a malicious website and secretly loads a legitimate login page inside an invisible iframe.【644980860613475†L61-L132】
  • Decoy overlay: Using custom CSS and JavaScript, the attacker positions a fake login form over the real one and hides the password manager’s pop‑up window. The user sees a normal-looking field but can’t tell the extension prompt is suppressed.
  • Auto-fill and capture: When the user clicks the decoy button, the password manager auto‑fills credentials and Time of Use tokens. The site intercepts the DOM events, reads the auto‑filled values and session cookies, and immediately sends them to the attacker’s server.【644980860613475†L61-L132】
  • Session hijacking: With valid username, password and MFA code, the attacker can log in instantly and even bypass multi‑factor protections by replaying stolen session cookies.

Impacted Password Managers

Researchers tested 11 popular password manager browser extensions and found them vulnerable to some form of DOM‑based clickjacking. Affected extensions include:

  • 1Password
  • Apple iCloud Passwords
  • Bitwarden
  • Dashlane
  • Enpass
  • Keeper
  • LastPass
  • LogMeOnce
  • NordPass
  • Proton Pass
  • RoboForm【644980860613475†L61-L132】

The attack works across Chromium‑based and Firefox browsers. All vendors were notified, and many have since released updates or mitigations.

Mitigation and Best Practices

  • Disable auto‑fill: Turn off automatic filling of credentials by default, or configure your extension to require a click on the browser toolbar before filling.
  • Use biometrics or a desktop app: Where possible, use a desktop password manager application or require biometric unlock instead of silent autofill.
  • Keep MFA separate: Generate one‑time passwords in a dedicated authenticator app or hardware token rather than inside the password manager.
  • Update and monitor: Keep your extensions up to date and watch vendor advisories for patches addressing clickjacking techniques.
  • Inspect suspicious pages: If anything about a login page seems unusual—hidden fields, misaligned forms, or blocked keyboard input—don’t proceed. Close the page and notify your IT team or service provider.

Conclusion

Password managers remain one of the best tools for securely storing and generating unique credentials. However, convenience features like auto‑fill can become a liability when abused by clever attackers. DOM‑based clickjacking shows that a single misplaced click could disclose your entire vault. Users should review their browser extension settings, disable automatic filling where possible, and keep MFA codes in separate applications. Vendors are releasing fixes, but until then, awareness is your best defense.

Sources

  • The Hacker News article on password manager clickjacking and affected vendors【644980860613475†L61-L132】.

Comments

Leave a comment