In the world of cybersecurity, sometimes the most dangerous threats are the ones hiding in plain sight, or rather, the ones hiding behind what you can’t see.

Introduction

Password managers have become the digital equivalent of Fort Knox for many of us (trusted guardians of our most sensitive information in an increasingly complex online world). We’ve been told repeatedly by security experts: use unique, complex passwords for every account and store them in a password manager. But what happens when the very tools designed to protect us become vectors for attack?

Czech security researcher Marek Tóth recently uncovered a sophisticated vulnerability affecting popular password manager browser extensions that could make your digital fortress about as secure as a sandcastle at high tide. This newly identified attack vector, dubbed “DOM-based extension clickjacking,” has sent shockwaves through the cybersecurity community, affecting extensions with a combined user base exceeding 40 million installations (Tóth).

The Art of Digital Sleight of Hand

Imagine you’re browsing a website and encounter a seemingly innocent cookie consent banner. You click “Accept” to dismiss it and continue browsing. Simple, right? Not quite. Through DOM-based extension clickjacking, that single click might have just handed over your credit card details, including security codes, to an attacker without you noticing a thing.

But how exactly does this digital sleight of hand work? DOM-based extension clickjacking represents an evolution of traditional clickjacking attacks, specifically targeting browser extensions that inject interactive elements into a webpage’s Document Object Model (DOM).

The attack exploits a fundamental aspect of how password manager extensions interact with web pages:

  • Password managers inject user interface elements (like autofill prompts) into the webpage DOM
  • An attacker’s malicious JavaScript can manipulate these elements, making them invisible while maintaining their functionality
  • Deceptive content is overlaid, tricking users into interacting with the hidden password manager interface
  • When users click what appears to be legitimate page elements, they unknowingly trigger the hidden password manager functionality

What makes this attack particularly concerning is its minimal interaction requirements. In many demonstrated scenarios, a single user click is sufficient to extract sensitive information.

Technical Mechanics

The DOM-based extension clickjacking vulnerability exploits several technical approaches:

  • Direct Element Manipulation: Applying CSS properties like opacity: 0 directly to the extension’s UI components, making them invisible while maintaining functionality
  • Parent Element Modification: Altering container elements that hold the password manager’s interface
  • Strategic Overlay Positioning: Placing deceptive content over the password manager’s interface while using CSS properties like pointer-events: none to ensure clicks pass through to hidden elements underneath

As Tóth explains, “The principle is that a browser extension injects elements into the DOM, which an attacker can then make invisible using JavaScript” (Tóth).

The Damage Potential

The severity of this vulnerability varies depending on context, but several concerning attack scenarios have been demonstrated:

On Malicious Websites

  • Extraction of stored credit card information, including card numbers, expiration dates, and security codes
  • Theft of personal data like names, addresses, and phone numbers
  • Credential harvesting

On Legitimate but Compromised Websites

  • If an attacker exploits cross-site scripting (XSS) vulnerabilities or subdomain takeovers on trusted domains, they can potentially extract login credentials and two factor authentication codes
  • Even manipulation of passkey authentication flows is possible in some scenarios

Particularly concerning is how the attack can exploit the subdomain autofill behavior of password managers. If a user has credentials stored for a domain like accounts.google.com, an attacker only needs to find an XSS vulnerability on any subdomain (e.g., test.dev.sandbox.cloud.google.com) to potentially steal those credentials.

Affected Password Managers

Tóth’s research presented at DEF CON 33 identified vulnerabilities in several password managers at the time of disclosure. The versions tested are listed below, though patch status has since varied. Users should consult vendor advisories for the latest updates:

  • 1Password (version 8.11.4.27)
  • Bitwarden (version 2025.7.0)
  • LastPass (version 4.146.3)
  • LogMeOnce (version 7.12.4)
  • Enpass (version 6.11.6)
  • Apple’s iCloud Passwords (version 3.1.25)
  • NordPass (now fixed in version 5.13.24 or later)
  • ProtonPass (now fixed in version 1.31.6 or later)
  • RoboForm (now fixed in version 9.7.6 or later)
  • Keeper (now fixed in version 17.2.0 or later)
  • Dashlane (now fixed in version 6.2531.1 or later)
  • KeePassXC-Browser (version 1.9.9.2)

The response from vendors has varied significantly. Some have quickly addressed the issue with comprehensive fixes, while others have taken a more measured approach or initially classified the issue as “informative” rather than a direct vulnerability in their products.

Jacob DePriest, CISO at 1Password, has noted that “the underlying issue lies in the way browsers render webpages” and that there’s “no comprehensive technical fix that browser extensions can deliver on their own” (Security Week). This stance highlights the fundamental tension between usability and security in password manager design.

Mitigation Strategies for Users

While awaiting comprehensive fixes from vendors, users can take several proactive steps to protect themselves:

  • Update Browser Extensions: Ensure you’re running the latest version of your password manager’s browser extension, as several vendors have released patches or partial mitigations.
  • Consider Alternative Access Methods: Use desktop or mobile applications, when possible, as these are not vulnerable to web-based clickjacking attacks.
  • Disable Autofill Functionality: Configure your password manager to require explicit action before filling credentials.
  • Exercise Caution with Web Interactions: Be suspicious of websites that display intrusive popups or request unusual interactions.
  • Implement Browser-Level Protections: For Chromium-based browser users, configure extension permissions to “on click” rather than allowing automatic access to all websites.

The Balancing Act

The discovery of DOM-based extension clickjacking vulnerabilities highlights a fundamental challenge in security design: the balance between usability and protection. While separate popup windows for autofill would provide stronger security against clickjacking, they would also introduce significant friction to the user experience, potentially driving users toward less secure practices out of convenience.

As Alex Cox, Director of Threat Intelligence at LastPass, notes, this research “highlights a broader challenge facing all password managers: striking the right balance between user experience and convenience, while also addressing evolving threat models” (Daily Security Review).

Conclusion

The DOM-based extension clickjacking vulnerability serves as a stark reminder that even security tools require vigilant oversight and continuous improvement. As password managers have become increasingly central to cybersecurity strategies, they have also become more attractive targets for sophisticated attacks.

Users should remain alert to potential risks while maintaining perspective; password managers still provide significant security benefits compared to alternative approaches like password reuse or weak memorized credentials. The appropriate response is not abandonment of these tools, but rather informed usage combined with additional security layers.

For the password management industry, this discovery highlights the need for continued innovation in secure design patterns for browser extensions. Future approaches may include greater isolation between extension interfaces and webpage content, improved verification of user intent before sensitive operations, and more robust detection of potential manipulation attempts.

As vendors continue to release updates addressing these vulnerabilities, users should prioritize keeping their software current and implementing available security options. By combining technical protections with informed usage practices, the risks associated with DOM-based extension clickjacking can be significantly reduced while preserving the substantial security benefits that password managers provide.

At ADI, we help organizations build sustainable cybersecurity frameworks that adapt as threats evolve. Whether you need guidance on compliance, strategy, or hands-on defense, our team is here to support your mission with tailored solutions. Explore ADI’s CMMC and cybersecurity services here.

Secure.Comply.Excel.