Password manager: Browser extensions can enable data theft

Password managers are actually designed to simplify the handling of many different passwords. To this end, they usually come with browser extensions that can automatically fill in form fields with access data. An IT researcher has uncovered a vulnerability in the browser extensions of various password managers that allows malicious websites to steal access data using a clickjacking attack.

Clickjacking attacks are actually well known. Attackers place invisible elements in front of dialogs, for example, and the visitor's clicks then land on the invisible element and not in the desired field. The DOM-based attack on browser extensions, which Marek Toth presented at Defcon 33, is new.

Toth describes the basic attack as follows. First, a malicious website must have an element that denies access to the page, such as a cookie banner, a captcha or similar. The website itself requires a form, for example for personal data such as a log-in. Attackers set the opacity of the form to 0.001, making it invisible. The focus() function is now used to activate the form field, whereupon the drop-down menu for filling in the password manager appears. What is new is that with the presented attack via the Document Object Model (DOM), the user interface of the browser extension can also be made invisible by reducing the opacity – here the DOM-based clickjacking now happens in the browser extension: Victims supposedly click on the cookie banner or captcha and land on the invisible dialog of the browser extension. This fills in the form fields and the attackers access the entries in the form.

Vulnerable password managers

Toth examined the following password managers: 1Password, Bitwarden, Dashlane, Enpass, iCloud Passwords as a browser extension, Keeper, LastPass, LogMeOnce, NordPass, ProtonPass and RoboForm. In the tests, Toth used the password manager extensions to manually fill out forms.

With most password managers, attackers can read non-domain-specific information such as credit card details or personal data such as name, phone number, address and so on with maliciously set up websites.

To get credentials and even two-factor data, attackers need to find a website with cross-site scripting vulnerabilities, take over subdomains, achieve web cache poisoning or the like, and configure password managers to disregard subdomains – usually the default setting for password managers, Toth explains. As an example, he cites that a cross-site scripting gap in "test.dev.sandbox.cloud.google.com" is sufficient to obtain the access data for "accounts.google.com". Toth also explains another attack that in some cases even allows passkeys to be abused with the clickjacking attack and new sessions to be opened by attackers.

By Tuesday of this week, Dashlane, Keeper, Nordpass, ProtonPass and RoboForm had patched the vulnerabilities. LastPass has already contained the disclosure of non-domain-specific information. Version 2025.8.0 of Bitwarden is now also available. Click on "Help" – "Check for updates..." to download and install the update. In the meantime, Enpass also has published updates browser extensions.

Toth makes a number of recommendations to help users protect themselves. These include activating automatic updates and ensuring that the latest version of the password manager is used. However, not every manufacturer offers updates yet. Deactivating the auto-fill feature will help the problem, but users will then have to copy usernames and passwords manually. The "Exact URL match" setting is also helpful. In Chromium-based browsers, it is also possible to grant access "On click" instead of "On all websites" in the browser extension settings in Chromium. An extension can then only be used after clicking on the extension icon to the right of the address bar.

IT researchers occasionally find vulnerabilities in password managers. Last October, for example, the German Federal Office for Information Security (BSI) analyzed the code of Vaultarden and KeepPass and discovered a number of security leaks.

(dmk)