Image by Volodymyr Kondriianenko, from Unsplash
Password Managers Leak Data in New Clickjacking Attack
Reading time: 2 min
Last Updated: Aug 21, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
A new study warns that millions of password manager users could be vulnerable to a dangerous browser exploit called “DOM-based Extension Clickjacking.”
In a rush? Here are the quick facts:
- Attackers can trick users into autofilling data with one fake click.
- Leaked data includes credit cards, login credentials, and even two-factor codes.
- 32.7 million users remain exposed as some vendors haven’t patched flaws.
The researcher behind the findings explained: “Clickjacking is still a security threat, but it’s necessary to shift from web applications to browser extensions, which are more popular nowadays (password managers, crypto wallets and others).”
The attack works by deceiving users into clicking on fake elements, including cookie banners and captcha pop-ups, while an invisible script secretly enables the password manager’s autofill function. The researchers explain that the attackers needed only one click to steal sensitive information.
“A single click anywhere on a attacker controlled website could allow attackers to steal users’ data (credit card details, personal data, login credentials including TOTP),” the report states.
The researcher tested 11 popular password managers, including 1Password, Bitwarden, Dashlane, Keeper, LastPass, and iCloud Passwords. The results were alarming: “All were vulnerable to ‘DOM-based Extension Clickjacking’. Tens of millions of users could be at risk (~40 million active installations).”
The tests revealed that six password managers out of nine exposed credit card details, while eight managers out of ten leaked personal information. Furthermore, ten out of eleven allowed attackers to steal stored login credentials. In some cases, even two-factor authentication codes and passkeys could be compromised.
Although vendors were alerted in April 2025, the researchers note that some of them, such as Bitwarden, 1Password, iCloud Passwords, Enpass, LastPass, and LogMeOnce have not yet fixed the flaws. This is particularly concerning since it is leaving an estimated 32.7 million users exposed to this attack.
The researchers concluded: “The described technique is general and I only tested it on 11 password managers. Other DOM-manipulating extensions are probably vulnerable (password managers, crypto wallets, notes etc.).”
Previous Story
Latest articles 
