this post was submitted on 20 Aug 2025

66 points (98.5% liked)

Technology

425 readers

364 users here now

Share interesting Technology news and links.

Rules:

No paywalled sites at all.
News articles has to be recent, not older than 2 weeks (14 days).
No videos.
Post only direct links.

To encourage more original sources and keep this space commercial free as much as I could, the following websites are Blacklisted:

Al Jazeera;
NBC;
CNBC;
Substack;
Tom's Hardware;
ZDNet;
TechSpot;
Ars Technica;
Vox Media outlets, with exception for Axios;
Engadget;
TechCrunch;
Gizmodo;
Futurism;
PCWorld;
ComputerWorld;
Mashable;
Hackaday;
WCCFTECH;
Neowin.

More sites will be added to the blacklist as needed.

Encouraged:

Archive links in the body of the post.
Linking to the direct source, instead of linking to an article talking about the source.

founded 1 year ago

MODERATORS

Pro@programming.dev

Zero-Day Vulnerability allow attackers to steal users data Found in Password Managers( 1Password, Bitwarden, LastPass, Enpass, iCloud Passwords, and LogMeOnce remain unpatched— still vulnerable) (marektoth.com)

submitted 9 months ago* (last edited 9 months ago) by Pro@programming.dev to c/Technology@programming.dev

21 comments fedilink hide all child comments

Fixed: NordPass, ProtonPass, RoboForm, Dashlane, Keeper

Still vulnerable: Bitwarden, 1Password, iCloud Passwords, Enpass, LastPass, LogMeOnce

Key Points

A new clickjacking technique where a malicious script manipulates UI elements that browser extensions inject into the DOM by making them invisible using javascript.

In my research, I selected 11 password managers that are used as browser extensions and the result was that all were vulnerable to "DOM-based Extension Clickjacking". Tens of millions of users could be at risk (~40 million active installations).

A single click anywhere on the attacker's website could leak credit card details including security codes (6 out of 9 were vulnerable) or exfiltrate stored personal information (8 out of 10 vulnerable).

All password managers filled credentials not only to the "main" domain, but also to all subdomains. An attacker could easily find XSS or other vulnerabilities and steal the user's stored credentials with a single click (10 out of 11), including TOTP (9 out of 11). In some scenarios, passkey authentication could also be exploited (8 out of 11).

All vulnerabilities were reported in April 2025 with a notice that public disclosure will be in August 2025. Some vendors have still not fixed described vulnerability: Bitwarden, 1Password, iCloud Passwords, Enpass, LastPass, LogMeOnce. Users of these password managers may still be at risk (~32.7 million active installations).

For Chromium-based browser users it is recommended to configure site access to "on click" in extension settings. This configuration allows users to manually control autofill functionality.

The described technique is general and I only tested it on 11 password managers. Other DOM-manipulating extensions are probably vulnerable (password managers, crypto wallets, notes etc.).

top 21 comments

sorted by: hot top controversial new old

[–] Sxan@piefed.zip 10 points 9 months ago (2 children)

KeePassXC is not listed. Feels good, man.

[–] Pro@programming.dev 14 points 9 months ago (1 children)

Research on only 11 password managers

others DOM-manipulating extensions will be vulnerable (password managers, crypto wallets, notes etc. )

[–] Sxan@piefed.zip 3 points 9 months ago

gasp KeePass does do DOM manipulation, if you use the plugin! I never þought about it, because I don't use þe plugin, but it would have to, wouldn't it?

I switch browsers fairly regularly and tend to use ones which have no plugin capability, so instead I use a script triggered by a hot key which grabs þe web site title wiþ xdotool, queries þe KeePassDB, and copies the matching site's username or password into the clipboard. It requires hotkey+paste, hotkey+paste to get credentials in, but it works wiþ every browser, and I guess it has a secondary security benefit.

[–] Vanilla_PuddinFudge@infosec.pub 2 points 9 months ago* (last edited 9 months ago)

based and upvoted. Hail to the King. No imitators, no replacements, just seething from those store their passwords in webapps.

[–] Maxxie@piefed.blahaj.zone 9 points 9 months ago* (last edited 9 months ago) (1 children)

As I understood, vector of attack is the autofill function? If you disable it you're probably safe? -ish?..

(Im a webdev, we don't do security hur hur)

[–] Sleepkever@lemmy.zip 10 points 9 months ago* (last edited 9 months ago) (1 children)

The attack vector is an autofill function on a compromised website that has attackers javascript running either injected in a webpage or on a subdomain hosting user content. Since autofill will never fill passwords from another domain, others won't be at risk. But why bother with clickjacking at that point, you could just have your malicious script read the password values silently once the user enters it, password manager or not. That's not a password manager problem, that's the problem of the vulnerable website.

The one which is actually dangerous that shared all password for all domains actually had a bug bounty awarded to the guy and is now fixed, good for him on finding that. The rest is really a non issue , I wouldn't worry that much.

Though credit card details and personal user info autofill might be problematic since those are not site-bound. I would either disable those or just not store them in the password manager.

[–] MiltownClowns@lemmy.world 8 points 9 months ago* (last edited 9 months ago) (1 children)

So long story short, compromised websites can steal your password if you give them your password.

[–] sukhmel@programming.dev 2 points 9 months ago

But that's so much less fun as a headline!

[–] _cryptagion@anarchist.nexus 8 points 9 months ago (1 children)

So from what I gather skimming through this, it requires a malicious browser extension to do the clickjacking. This seems as much a problem with people installing untrusted extensions as it is a problem with password managers.

[–] kewjo@lemmy.world 5 points 9 months ago* (last edited 9 months ago)

also issue with hackers paying to buy out extensions and then releasing an update. this has become an increasingly bigger issue over the years and a reason to install as few extensions you trust and read changelogs, but most people don't have the energy for that.

edit: on second look it looks more about a website hiding input through an interactive pop-up and the password manager autofilling or directing the user to input in malicious fields they can't see.

[–] Microw@piefed.zip 2 points 9 months ago

Well, there is a reason why I manually copy paste passwords from my password manager instead of using autofill plugins

[–] RagnarokOnline@programming.dev 1 points 9 months ago (4 children)

I know this will be unpopular, but I still don’t use a password manager.

Something about entrusting my passwords to a 3rd party’s software still feels wrong. I’d rather use a passphrase that’s generated per each service based on a set of rules.

[–] BaroqueInMind@piefed.social 18 points 9 months ago

You can self host Bitwarden, it's called Vaultwarden and it's open source

[–] communism@lemmy.ml 10 points 9 months ago (2 children)

What about a purely local password manager like keepassxc? It's foss, you can compile it yourself and never connect to the internet. Or pass even, if you want something more minimal.

[–] untorquer@lemmy.world 4 points 9 months ago

I like to use syncthing + keepass. Works really well

[–] RagnarokOnline@programming.dev 2 points 9 months ago

I like the idea of compiling locally. I need to look into this.

Thanks!

[–] Jason2357@lemmy.ca 7 points 9 months ago (1 children)

I don’t think there’s anything wrong with deterministically creating unique and strong pass phrases. It’s just hard to do it in a way that is hard to be both non-obvious (no url in the pass phrase) and also meet all the weird password requirements on the web. Fortunately, max password lengths have generally disappeared. Id love to be able to just use a Sha256 hash everywhere, but some sites require special characters, and some still ban them.

[–] three@lemmy.zip 5 points 9 months ago

Fortunately, max password lengths have generally disappeared.

Not disagreeing, you just reminded me of the couple of sites I've signed up for that don't enforce max length on creation, but silently truncate passwords on login. Incredibly frustrating trying to figure out what an acceptable length is through multiple password recoveries.

[–] spankmonkey@lemmy.world 2 points 9 months ago (1 children)

Feels like putting all the eggs in one basket to me.

[–] RagnarokOnline@programming.dev 3 points 9 months ago (1 children)

You’re not wrong, tbh. I do like the idea of having really complex and random passwords like I see can be generated from password managers.

That said, I would argue that putting all of your passwords (eggs) into one basket (a password manager) would also not be ideal.

Maybe if I used multiple password managers? If one got hacked, maybe the other would be secure?

Maybe if I added a salt to my passwords in a password manager, that would give me the best of both worlds? (I could store most of the password in the manager, then add the salt manually when I need to login. Though I couldn’t use auto-fill anymore.)

[–] lunarul@lemmy.world 3 points 9 months ago

A local password manager (e.g. KeePass) will have all your passwords in an encrypted database saved on your machine. You can back up that file however you like. If somehow your machine gets hacked to the level where files can be accessed, the DB file is unusable without the password (the one password you'll need to remember).