Technology

425 readers

364 users here now

Share interesting Technology news and links.

Rules:

No paywalled sites at all.
News articles has to be recent, not older than 2 weeks (14 days).
No videos.
Post only direct links.

To encourage more original sources and keep this space commercial free as much as I could, the following websites are Blacklisted:

Al Jazeera;
NBC;
CNBC;
Substack;
Tom's Hardware;
ZDNet;
TechSpot;
Ars Technica;
Vox Media outlets, with exception for Axios;
Engadget;
TechCrunch;
Gizmodo;
Futurism;
PCWorld;
ComputerWorld;
Mashable;
Hackaday;
WCCFTECH;
Neowin.

More sites will be added to the blacklist as needed.

Encouraged:

Archive links in the body of the post.
Linking to the direct source, instead of linking to an article talking about the source.

founded 1 year ago

MODERATORS

Pro@programming.dev

Zero-Day Vulnerability allow attackers to steal users data Found in Password Managers( 1Password, Bitwarden, LastPass, Enpass, iCloud Passwords, and LogMeOnce remain unpatched— still vulnerable) (marektoth.com)

submitted 9 months ago* (last edited 9 months ago) by Pro@programming.dev to c/Technology@programming.dev

21 comments fedilink hide all child comments

Fixed: NordPass, ProtonPass, RoboForm, Dashlane, Keeper

Still vulnerable: Bitwarden, 1Password, iCloud Passwords, Enpass, LastPass, LogMeOnce

Key Points

A new clickjacking technique where a malicious script manipulates UI elements that browser extensions inject into the DOM by making them invisible using javascript.

In my research, I selected 11 password managers that are used as browser extensions and the result was that all were vulnerable to "DOM-based Extension Clickjacking". Tens of millions of users could be at risk (~40 million active installations).

A single click anywhere on the attacker's website could leak credit card details including security codes (6 out of 9 were vulnerable) or exfiltrate stored personal information (8 out of 10 vulnerable).

All password managers filled credentials not only to the "main" domain, but also to all subdomains. An attacker could easily find XSS or other vulnerabilities and steal the user's stored credentials with a single click (10 out of 11), including TOTP (9 out of 11). In some scenarios, passkey authentication could also be exploited (8 out of 11).

All vulnerabilities were reported in April 2025 with a notice that public disclosure will be in August 2025. Some vendors have still not fixed described vulnerability: Bitwarden, 1Password, iCloud Passwords, Enpass, LastPass, LogMeOnce. Users of these password managers may still be at risk (~32.7 million active installations).

For Chromium-based browser users it is recommended to configure site access to "on click" in extension settings. This configuration allows users to manually control autofill functionality.

The described technique is general and I only tested it on 11 password managers. Other DOM-manipulating extensions are probably vulnerable (password managers, crypto wallets, notes etc.).

you are viewing a single comment's thread
view the rest of the comments

[–] _cryptagion@anarchist.nexus 8 points 9 months ago (1 children)

So from what I gather skimming through this, it requires a malicious browser extension to do the clickjacking. This seems as much a problem with people installing untrusted extensions as it is a problem with password managers.

[–] kewjo@lemmy.world 5 points 9 months ago* (last edited 9 months ago)

also issue with hackers paying to buy out extensions and then releasing an update. this has become an increasingly bigger issue over the years and a reason to install as few extensions you trust and read changelogs, but most people don't have the energy for that.

edit: on second look it looks more about a website hiding input through an interactive pop-up and the password manager autofilling or directing the user to input in malicious fields they can't see.