11 Password Manager Extensions Found Vulnerable to Clickjacking Hidden Backdoor

Many of us rely on password managers. They are convenient digital keychains. They store the complex passwords we can’t possibly remember. We trust them to guard our most sensitive information, from social media logins to bank account details. But what if that trust is misplaced? What if the tool designed to protect you has a weakness that could expose everything?

Recent security research has uncovered a troubling vulnerability in many popular password managers. This isn’t a minor bug; it’s a fundamental flaw that could allow attackers to steal your data with a single, innocent-looking click. This article will break down the danger in simple terms and give you a clear action plan to protect yourself.

The Invisible Threat: Understanding Clickjacking

The technique used by attackers is called “clickjacking.” Imagine you are about to sign a document. Someone slips a carbon paper and a different, hidden contract underneath your page. You sign your name, thinking it’s for the document you can see, but your signature also transfers to the hidden contract. You’ve been tricked into signing something you never intended to.

Clickjacking on a computer works in a similar way. An attacker creates a malicious website that might look harmless, or they might even find a way to inject hidden code into a legitimate website. This code places an invisible layer over the web page you are viewing.

Here’s how the trap is set:

1. A website might show you a pop-up asking you to accept cookies with “Accept” and “Reject” buttons.
2. Your password manager recognizes a login form hidden invisibly behind the “Accept” button. It asks if you want to autofill your credentials.
3. You click to autofill and then click the visible “Accept” button.
4. In reality, your click is hijacked. The invisible layer registers your action and steals the username and password that your manager just filled in.

You won’t see anything suspicious. The page will look and act normally. But in the background, your private data—credit card numbers, personal addresses, and login credentials—could be in the hands of a thief.

An Alarming Discovery Reveals Widespread Risk

This isn’t just a theoretical problem. A security researcher, Marek Tóth, investigated this threat and presented his findings at the DEF CON security conference, a highly respected gathering of experts. He looked at 11 of the most popular password manager browser extensions and found that all of them were vulnerable to a new type of attack he named “DOM-based extension clickjacking.”

This sophisticated method allows a malicious script to manipulate the very user interface (UI) elements that browser extensions add to a webpage. The script makes these elements invisible, so the user has no idea they are interacting with a compromised site. The research estimated that around 40 million active installations of these extensions could be at risk.

The findings were serious:

Credit Card and Personal Data Theft

For many of the tested products, a single click anywhere on an attacker’s webpage was enough to expose stored credit card details, including the security codes (CVC). Personal data like your name, email, and address were also vulnerable in a majority of the tested managers.

Complete Login Theft

The vulnerability wasn’t limited to the main website domain. If a website had subdomains, an attacker could potentially use a weakness on any one of them to steal logins for the entire service. This included the theft of Time-based One-Time Passwords (TOTP), the changing codes used for two-factor authentication (2FA).

Passkey Exploitation

Even modern authentication methods like passkeys were not entirely safe. The research showed that in some scenarios, the authentication process could be hijacked, allowing an attacker to create a new, unauthorized session in your name.

Which Password Managers Were Affected?

The investigation covered a wide range of popular services. All 11 password managers tested were found to be vulnerable to this form of clickjacking. The list includes:

• 1Password
• Bitwarden
• Dashlane
• Enpass
• iCloud Passwords
• Keeper
• LastPass
• LogMeOnce
• NordPass
• ProtonPass
• RoboForm

The researcher responsibly disclosed all vulnerabilities to the developers in April 2025, giving them several months to fix the issues before the public announcement in August 2025.

However, the response from the companies has been mixed. While some have issued patches, others have been slow to act. According to a report from August 22, 2025, several products were still problematic. For example, Bitwarden’s fix was still in progress, and LastPass and 1Password had reportedly classified the issue as “informative” without immediately deploying a fix. This slow response left millions of users exposed even after the danger was known. On the other hand, services like Dashlane, Keeper, and NordPass have fixed the issues.

Your Action Plan: How to Protect Your Digital Life Now

You are not powerless. You can take concrete steps right now to protect your accounts from this threat. Building good security habits is the best defense against any online danger.

Update Your Software Immediately

Your first and most crucial step is to ensure your password manager and its browser extension are updated to the very latest version. Developers release security patches through updates, and running an old version is like leaving your door unlocked. Check your browser’s extension store and the password manager’s official website for the newest release.

Activate the “On-Click” Shield

Most Chromium-based browsers (like Google Chrome, Microsoft Edge, and Brave) have a powerful setting you can change. You can set your extensions to only activate when you click on them. This single change is a strong defense against clickjacking because it forces you to manually approve the password manager’s action on a site, preventing it from being tricked by an invisible layer. To do this, go to your browser’s Extension Settings, find your password manager, and change the “Site access” permission to “On click.”

Use Safer Autofill Methods

The danger of this attack lies in the automatic or one-click filling of your data. Instead of relying on this, get into the habit of using safer methods. Many password managers, like Bitwarden, recommend using keyboard shortcuts (e.g., Ctrl+Shift+L), the right-click context menu, or manually dragging and dropping credentials from the extension. These methods require a clear, conscious action from you, which bypasses the clickjacking trick.

Consider an Offline Password Manager

For maximum security, you might consider using an offline password manager like KeePass or its popular variants (KeePassXC for desktop, KeePassium for iOS). These programs store your password vault as an encrypted file directly on your device. Since they are not inherently cloud-based or integrated into the browser in the same way, they are immune to many online threats like this one. You can even use an offline manager as a secure backup for your most critical passwords while still using a cloud-based one for daily convenience.

Other Dangers Are Always Lurking

It is important to remember that digital security is about layers. While this clickjacking vulnerability is a specific and serious threat, it is not the only one. For example, some Bitwarden users have reported unauthorized login attempts on their accounts. These are likely unrelated to clickjacking and are probably caused by brute-force attacks, where hackers use lists of emails and passwords leaked from other data breaches to try to gain access.

This highlights a critical truth: even with a secure password manager, you must use strong, unique passwords for every single one of your accounts. If a password you use on one site is leaked, hackers will try it everywhere, including on your password manager account itself. Your master password should be exceptionally strong and never reused anywhere else.