Urgent Alert Protect Your Password Manager from Clickjacking

Millions of users of popular password managers—including LastPass, 1Password, Bitwarden, Enpass, iCloud Passwords, and LogMeOnce—are at risk due to recently discovered clickjacking vulnerabilities in their browser extensions. Research presented at DEF CON 33 demonstrates that attackers can invisibly overlay web elements, tricking users into triggering silent autofills that steal credentials, OTPs, and financial data.

How the Attack Works

Attackers craft malicious web pages that:

• Use CSS opacity and z-index to hide fake elements over genuine password manager UI controls.
• Track mouse movements and redirect clicks on “benign” overlays—such as cookie banners or CAPTCHAs—to the real autofill button.
• Trigger silent autofill of usernames, passwords, credit card numbers, or TOTP codes, exfiltrating them without user awareness.

Who’s Vulnerable

Affected versions as of August 19, 2025:

• 1Password 8.11.4.27
• Bitwarden 2025.7.0 (fixed in 2025.8.0)
• Enpass 6.11.6 (partial mitigation)
• iCloud Passwords 3.1.25
• LastPass 4.146.3
• LogMeOnce 7.12.4

These six vendors collectively serve over 40 million users.

Vendor Responses

• Bitwarden: Released patch (2025.8.0) across all extension stores.
• LastPass & 1Password: Initially deemed “informative” and out-of-scope; now actively working on fixes.
• LogMeOnce: No public response yet.

Immediate Mitigations

Until full vendor patches are widely available, follow these steps:

1. Disable Autofill in your password manager’s browser extension settings.
2. Use copy-paste workflows for entering usernames and passwords.
3. Be cautious of suspicious overlays, pop-ups, or unusual page layouts.
4. Ensure your extensions are updated to the latest versions.
5. Follow vendor advisories for security updates.

Stay safe and take these precautions seriously—your sensitive credentials and financial data depend on it.