Aug 29, 2025Ravie LakshmananVulnerability / Enterprise Safety
Click on Studios, the developer of enterprise-focused password administration answer Passwordstate, stated it has launched safety updates to handle an authentication bypass vulnerability in its software program.
The difficulty, which is but to be assigned a CVE identifier, has been addressed in Passwordstate 9.9 (Construct 9972), launched August 28, 2025.
The Australian firm stated it mounted a “potential Authentication Bypass when utilizing a rigorously crafted URL in opposition to the core Passwordstate Merchandise’ Emergency Entry web page.”
Additionally included within the newest model are improved protections to safeguard in opposition to potential clickjacking assaults aimed toward its browser extension, ought to customers find yourself visiting compromised websites.
The safeguards are possible in response to findings from safety researcher Marek Tóth, who, earlier this month, detailed a method referred to as Doc Object Mannequin (DOM)-based extension clickjacking that a number of password supervisor browser add-ons have been discovered susceptible to.
“A single click on anyplace on an attacker-controlled web site might enable attackers to steal customers’ information (bank card particulars, private information, login credentials, together with TOTP),” Tóth stated. “The brand new method is normal and might be utilized to different varieties of extensions.”
Based on Click on Studios, the credential supervisor is utilized by 29,000 clients and 370,000 safety and IT professionals, spanning international enterprises, authorities businesses, monetary establishments, and Fortune 500 firms.
The disclosure comes over 4 years after the corporate suffered a provide chain breach that enabled attackers to hijack the software program’s replace mechanism with the intention to drop malware able to harvesting delicate info from compromised programs.
Then in December 2022, Click on Studios additionally resolved a number of safety flaws in Passwordstate, together with an authentication bypass for Passwordstate’s API (CVE-2022-3875, CVSS rating: 9.1) that might have been exploited by an unauthenticated distant adversary to acquire a consumer’s plaintext passwords.
