{“lastseen”:”2025-08-22T17:00:57″,”description”:”Sometimes it can seem as though everything’s toxic online, and the latest good thing turned bad is here: Browser pop-ups that look like they’re trying to help or authenticate you could be programmed to steal data from your password manager. To make matters worse, most browser extension-based password managers are still vulnerable to the attack.\\n\\nThis issue affects password managers like 1Password, LastPass, NordPass, and Enpass. They’re online services that store all your access credentials in an encrypted vault, and they use browser extensions to automatically fill in those passwords on web forms when you need them. Because they use extensions, you have to install them separately in your browser.\\n\\nThese extension-based password managers are more secure than those built natively into your web browser in some ways. Browser-based password managers tend to encrypt information using your browser access credentials. Malicious infostealer software can steal the files and decrypt them easily when you’re already logged in.\\n\\nBrowser extension-based password managers store encrypted vaults in memory or in other locations on your computer. They auto-lock after activity and instead of using operating system-level encryption, they use a separate master password. But while they have their benefits, nothing’s ever completely safe.\\n\\n## Clickjacking’s back\\n\\nAt the DEFCON security conference this month, cybersecurity researcher Marek T\u00f3th presented an attack that works on most browser extension-based password managers. It uses malicious code to manipulate the structure of the site in the browser, changing the way it looks and behaves.\\n\\nT\u00f3th, who was just demonstrating the attack to highlight the vulnerability, used this capability for a new version of an old attack called clickjacking. It persuades a victim to click on one thing on a web page but then uses that action to click something else.\\n\\nMessing with the structure of the site enabled him to make certain things invisible. One of these is a drop-down selector that extension-based password managers use to select and fill in account login credentials.\\n\\nHe used this trick to put an invisible overlay on top of a seemingly legitimate clickable element on the screen. When the user clicks it, they’re actually clicking on the overlay\u2014which is their password manager’s dropdown selector.\\n\\nThe result: the password manager gives up the victim’s secrets without their knowledge.\\n\\n## Think twice about what you click\\n\\nWhat would a decoy popup look like? These days, thanks to regulations from the EU, web sites often throw up permission banners that ask you if you’re OK with them using cookies. Most of us just click ‘yes’, but no matter what you click, an attack like this could put you at risk. Or an attacker could use an authentication button, or a \u201cThis content is sensitive, click yes if you really want to see it\u201d button. Or, given the recent push for age verification, an \u201cAre you really 18?\u201d button.\\n\\nThis attack can steal more than your login credentials. It can also pilfer other information stored in password managers, including credit card information, personal data like your name and phone number, passkeys (digital certificates which your computer can use instead of passwords), and time-based one-time passwords (TOTP). The latter are the login tokens your computer gets after you use authentication apps like Google Authenticator.\\n\\nT\u00f3th didn’t just release this out of the blue. He disclosed it to password manager companies ahead of time, but many addressed it only partly, and some not at all.\\n\\nAs of earlier this week, Dashlane, Keeper, NordPass, ProtonPass, and RoboForm had fixed the issue, according to T\u00f3th. Bitwarden, Enpass, and Apple (which uses an iCloud password manager) were in the progress of fixing it. 1Password had classified it as ‘informative’ but hadn’t fixed it yet. LastPass had fixed the vulnerability for personal and credit card data, but hadn’t yet fixed the vulnerability for login credentials, passkeys, or TOTP data. LogMeOnce hadn’t replied at all.\\n\\n## Protect yourself\\n\\nSo, what can you do about this threat? T\u00f3th provides the usual warnings about enabling automatic updates and ensuring you’re using the latest versions of the password manager products. The most secure protection is disabling the autofill feature that allows password managers to fill in web form fields without user intervention. Instead, you’d have to copy and paste your details manually.\\n\\nAnother more convenient option is to control autofill so that it only operates when you specifically click on the browser extension in your toolbar. On Chromium browsers like Edge and Google Chrome, that means going into your extension settings, selecting \u201csite access,\u201d and then selecting the \u201con click\u201d option. Selecting this would stop malicious code stealing your credentials in the way T\u00f3th describes.\\n\\nAnd as always, think twice about what you’re clicking when you’re on any website, especially any less trustworthy ones.\\n\\n* * *\\n\\n**We don\u2019t just report on threats\u2014we remove them**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.”,”published”:”2025-08-22T16:32:34″,”modified”:”2025-08-22T16:32:34″,”type”:”malwarebytes”,”title”:”Clickjack attack steals password managers\\u0026#8217; secrets”,”source”:””,”references”:””,”id”:”MALWAREBYTES:78D429CFBDB8ECC1F4A63962BB5A2908″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2025\/08\/clickjack-attack-steals-password-managers-secrets”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-22T17:00:57″,”description”:”Sometimes it can seem as though everything’s toxic online, and the latest good thing turned bad is here: Browser pop-ups that look like they’re trying…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-14009","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n