A researcher has examined practically a dozen password managers and located that they had been all weak to clickjacking assaults that might result in the theft of extremely delicate knowledge.
The analysis was performed by Marek Tóth and it was offered earlier this month on the DEF CON convention. The researcher has now additionally printed a weblog publish detailing his findings.
The researcher focused 1Password, Bitwarden, Dashlane, Enpass, Keeper, LastPass, LogMeOnce, NordPass, ProtonPass, RoboForm, and Apple’s iCloud Passwords, particularly their related browser extensions.
These browser extensions are very fashionable. An evaluation by the researcher discovered that they’ve a complete of practically 40 million lively installations, primarily based on knowledge from the official browser extension repositories for Chrome, Edge and Firefox.
Clickjacking is an assault method by which the attacker methods the focused consumer into clicking on hidden parts on an online web page. The attacker units up an internet site that accommodates malicious buttons or different parts which can be clear and positioned on prime of harmless-looking parts on the web page. When the sufferer visits the attacker’s web site and interacts with these harmless-looking parts, they’re truly clicking on the malicious ingredient, unknowingly finishing up harmful actions.
Tóth confirmed how an attacker can use DOM-based extension clickjacking and the autofill performance of password managers to exfiltrate delicate knowledge saved by these functions, together with private knowledge, usernames and passwords, passkeys, and cost card data.
The assaults demonstrated by the researcher require 0-5 clicks from the sufferer, with a majority requiring just one click on on a harmless-looking ingredient on the web page. The one-click assaults usually concerned exploitation of XSS or different vulnerabilities.
DOM, or Doc Object Mannequin, is an object tree created by the browser when it hundreds an HTML or XML net web page. It permits JavaScript and different scripting languages to work together with and alter the web page, together with conceal parts, modify textual content, or add new content material dynamically.Commercial. Scroll to proceed studying.
Tóth’s assault entails a malicious script that manipulates consumer interface parts injected by browser extensions into the DOM. “The precept is {that a} browser extension injects parts into the DOM, which an attacker can then make invisible utilizing JavaScript,” he defined.
In line with the researcher, a few of the distributors have patched the vulnerabilities, however fixes haven’t been launched for Bitwarden, 1Password, iCloud Passwords, Enpass, LastPass, and LogMeOnce.
SecurityWeek has reached out to those firms for remark. Bitwarden mentioned a repair for the vulnerability is being rolled out this week with model 2025.8.0. LogMeOnce mentioned it’s conscious of the findings and its workforce is actively engaged on resolving the difficulty by a safety replace.
1Password and LastPass have shared extra context on the difficulty from the attitude of password supervisor builders.
Jacob DePriest, CISO at 1Password, identified that clickjacking is a long-standing net assault method that impacts web sites and browser extensions broadly.
“As a result of the underlying concern lies in the best way browsers render webpages, we consider there’s no complete technical repair that browser extensions can ship on their very own,” DePriest instructed SecurityWeek.
“We take this and all safety considerations severely, and our method to this explicit danger is to concentrate on giving clients extra management. 1Password already requires affirmation earlier than autofilling cost data, and in our subsequent launch, we’re extending that safety so customers can select to allow affirmation alerts for different kinds of knowledge. This helps customers keep knowledgeable when autofill is going on and in command of their knowledge,” he added.
Alex Cox, Director of Risk Intelligence, Mitigation, Escalation (TIME) at LastPass, additionally famous that Tóth’s analysis “highlights a broader problem dealing with all password managers: placing the fitting steadiness between consumer expertise and comfort, whereas additionally addressing evolving risk fashions.”
“LastPass has carried out sure clickjacking safeguards, together with a pop-up notification that seems earlier than auto-filling bank cards and private particulars on all websites, and we’re dedicated to exploring methods to additional shield customers whereas persevering with to protect the expertise our clients count on,” Cox defined.
He added, “Within the meantime, our [TIME] workforce encourages all customers of password managers to stay vigilant, keep away from interacting with suspicious overlays or pop-ups, and hold their LastPass extensions updated.”
Associated: Passkey Login Bypassed through WebAuthn Course of Manipulation
Associated: Main Enterprise AI Assistants Can Be Abused for Information Theft, Manipulation
