A reliable password manager is an essential and recommended part of your cybersecurity toolkit, alongside a VPN and antivirus software. However, nothing is immune to vulnerabilities.
A clickjacking attack could be used to steal data from several password managers using the auto-fill settings, as revealed at Defcon 33 by a Czech Republic-based security researcher, Marek Tóth. This exploit only works with password manager browser extensions, not desktop and mobile apps.
A clickjacking attack could capture credit card information, personal data, usernames and passwords, passkeys or time-based one-time passwords.
Here’s what you need to know, including how the vulnerability works, which password managers are currently susceptible and what you can do to stay safe.
A web-based clickjacking attack could be used to capture sensitive data from password managers
Clickjacking is an attack that relies on a user carrying out an action -- like clicking on a button -- with the belief that the user is performing one thing when they’re really doing something else. For example, you might see a button on a website encouraging you to download a plugin or firmware update, but instead of downloading whatever’s being promised, it actually sends you a web page or app run by an attacker.
Clickjacking can be used to capture your data, like usernames, passwords and banking information.
According to Tóth’s research, some password managers are susceptible to an exploit: If you unwittingly click on a web-based element that’s part of an attacker’s clickjacking scheme, your usernames, passwords and even banking information could be shared.
For instance, you might click on what you think is an innocent CAPTCHA, and while you’re solving the clickjacking CAPTCHA, your password manager autofill launches, selects all of your saved items and sends that data to an attacker. But as Tóth demonstrated, you won’t see your password manager auto-fill launching, because the attacker’s site has set the opacity such that your password manager’s windows are invisible to you.
This isn’t really a password manager-specific vulnerability, but a web-based attack
While Tóth demonstrated how a Document Object Model, or DOM, based attack could be used to execute malicious code in your browser, it’s technically a web-based attack that websites and browsers are susceptible to, not a vulnerability exclusive to password managers.
Tóth provides potential solutions for mitigating the vulnerability, and states that “the safest solution is to display a new pop-up window” when auto-fill happens, although he concedes “that will be very inconvenient for users.”
There’s currently some debate about the best way to handle the situation. 1Password's CISO, Jacob DePriest, shared a statement via email with CNET, noting that copying and pasting passwords can introduce other risks and that the company is focused on fixes.
"We take this and all security concerns seriously, and our approach to this particular risk is to focus on giving customers more control. 1Password already requires confirmation before autofilling payment information. Our next release, already shipped and undergoing review from the browser extension stores, extends that protection so users can choose to enable confirmation alerts for other types of data. This helps users stay informed when autofill is happening and in control of their data," DePriest said.
Clickjacking isn't a novel threat to password manager browser extensions, and copying and pasting credentials like usernames or passwords could be a cybersecurity threat of its own. For example, if you've been compromised by a keylogger -- which records your keystrokes and can capture information you copy and paste -- or if you accidentally paste your password somewhere unintended.
Several password managers have begun offering full or partial patches to address potential browser add-on vulnerabilities. At the time of writing, NordPass, ProtonPass, RoboForm, Keeper, Dashlane, Enpass, 1Password, Bitwarden and LastPass have rolled out or begun rolling out full or partial fixes.
Bitwarden told CNET via email that its version 2025.8.0, which is rolling out now across browser stores, includes the primary fix. The team is also preparing another update (2025.8.1) to mitigate risk in other scenarios. "As always, the most effective protections remain what they’ve always been: staying alert to suspicious URLs, avoiding malicious websites, and remaining vigilant against phishing campaigns," said a Bitwarden representative.
For its part, LastPass has implemented certain clickjacking safeguards, including a pop-up notification that appears before auto-filling credit cards and personal details on all sites. Alex Cox, LastPass director of threat intelligence, mitigation, escalation, told CNET via email that the company is committed to exploring ways to further protect users. "In the meantime, our threat intelligence, mitigation and escalation (TIME) team encourages all users of password managers to remain vigilant, avoid interacting with suspicious overlays or pop-ups, and keep their LastPass extensions up to date."
iCloud Passwords reportedly has in-progress fixes coming.
Here are the versions you should be using:
- NordPass: 5.13.24 or later
- ProtonPass: 1.31.6 or later
- RoboForm: 9.7.6 or later
- Keeper: 17.2.0 or later
- Dashlane: v6.2531.1 or later
- Bitwarden: 2025.8.0 or later (primary fix), 2025.8.1 or later (additional mitigations)
- Enpass: 6.11.6 or later
- 1Password: 8.11.7.2 or later (8.11.7 on the Apple Store)
Here’s what you can do to stay safe
Several password managers have already taken action, with full or partial mitigations rolled out (or in the process of coming out) from NordPass, ProtonPass, Keeper, RoboForm, Bitwarden, Dashlane, Enpass, 1Password and LastPass. But you’ll want to make sure you’re using the latest version of each browser extension to ensure you’ve got the patch fix installed.
If you're worried, you could use your password manager's desktop or mobile app rather than the browser add-on -- clickjacking is a web-based attack, meaning only web extensions are vulnerable. So if your password manager hasn't provided a fix for the browser add-on yet, you can still safely use the mobile or desktop app.
Because clickjacking isn’t a unique attack to password managers, you’ll want to exercise good judgment and caution. Be careful with pop-ups, banner ads and CAPTCHAs, especially if they seem suspicious. You can try hovering your cursor over on-page elements without clicking, and the bottom of your web browser window should show you the link awaiting you, so you can see if it seems legitimate.
Since the clickjacking attack relies on auto-fill, you could disable your password manager’s browser extension auto-fill settings, instead relying on copying and pasting your various account credentials. That way, if you fall prey to a clickjacking attack that tries to auto-fill information from your password manager, it may not be successful.
But copying and pasting can make you vulnerable if you're compromised by a keylogger. You might even accidentally send someone your username, password, or other information because you forgot what you last copied.
If you’re concerned that your passwords have been compromised, you can make new ones. Most password managers include password generators, but if you’d prefer to create your own, I recommend abiding by the US Cybersecurity and Infrastructure Security Agency’s recommendations to make your passwords at least 16 characters long, including a mix of letters, numbers and special characters.
In addition to a password manager, you should be using a VPN when you’re worried about privacy -- like hiding your web browsing and app activity from your ISP -- as well as antivirus software. Many VPNs and antivirus apps include ad, tracker and pop-up blockers, which may help protect against malicious sites or links.
You can often bundle cybersecurity software for a convenient package, although there are pros and cons to bundling. While we typically advise against many free services, we do vouch for select free VPNs and antivirus software.
Although I don’t think you need to panic and jump ship, if you’re truly concerned, you can always switch to a password manager that’s rolled out a patch, or simply use desktop and mobile apps rather than browser add-ons.
For more, learn why you should be using a password manager and how to set one up.