Popular password manager plugins have been identified as vulnerable to clickjacking attacks, which could lead to the theft of sensitive user information such as account credentials, credit card details, and two-factor authentication (2FA) codes. This technique, termed Document Object Model (DOM)-based extension clickjacking, was uncovered by security researcher Marek Tóth at the recent DEF CON 33 conference.
According to Tóth, a single click on a malicious website could allow attackers to exfiltrate user data, including personal information and login credentials, through the manipulated UI of the extensions. Clickjacking can trick users into unknowingly performing actions that compromise their security while making those actions seem innocuous.
The research specifically analyzed 11 popular password manager extensions, including well-known names like 1Password and iCloud Passwords, all of which are susceptible to this vulnerability. The expert reports that many of these extensions have millions of users, indicating a broad potential impact.
To execute the attack, an attacker simply needs to set up a deceptive site featuring pop-ups, such as login forms. Users may inadvertently trigger the auto-fill feature of their password manager, disclosing their credentials and other sensitive data to the attacker’s server.
The research findings revealed that the majority of the tested password managers were vulnerable: 10 of the 11 could have credentials stolen with one click, with 9 also exposing TOTP codes. Some were even potentially vulnerable to passkey authentication exploits.
Following the responsible disclosure of these vulnerabilities, six password manager vendors have not yet issued fixes. These include 1Password, Apple iCloud Passwords, and Bitwarden, among others.
In light of the ongoing risks, it’s recommended that users disable the auto-fill feature in their password managers until updates are released, and to utilize copy and paste instead for entering sensitive information. For browsers based on Chromium, it’s suggested to configure site access settings to require manual activation for auto-fill functionality.
As an immediate precaution, Bitwarden has released an updated version to address these vulnerabilities. Users should stay vigilant and follow updates from their password manager providers regarding fixes to ensure their data remains secure.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.