DOM-based Extension Clickjacking: Your Password Manager Data at Risk (1Password, Bitwarden, Dashlane, Enpass, iCloud Passwords, KeePassXC-Browser, Keeper, LastPass, LogmeOnce, NordPass, Proton Pass, RoboForm / Also crypto wallets, notes, etc. as web browser extensions)

Understanding the Recent DOM-Based Extension Clickjacking Vulnerability and Its Impact on Password Managers

Published: August 24, 2025

In an evolving digital security landscape, new vulnerabilities continually challenge the safety of our online credentials. Recently, cybersecurity researchers uncovered a significant flaw affecting many popular browser extensions used for managing passwords and sensitive data. This article aims to elucidate the nature of this vulnerability, its implications, and practical steps you can take to safeguard your information.

What is DOM-Based Extension Clickjacking?

Clickjacking is a technique where malicious actors trick users into interacting with hidden or disguised web elements, potentially leading to unauthorized actions. The recent vulnerability specifically exploits DOM (Document Object Model)-based manipulation within browser extensionsโ€”particularly those for password managers, crypto wallets, and note-taking toolsโ€”that run within web browsers.

In essence, the flaw allows attackers to overlay or conceal parts of a password manager’s extension interface, leading users to inadvertently authorize actions they didn’t intend, such as autofilling sensitive data into malicious sites.

The Scope and Impact

This flaw has been identified in the extensions of numerous widely-used password managers and related services:

  • Vulnerable Extensions:
  • 1Password (versions up to 8.11.7.2)
  • Bitwarden (versions up to 2025.8.1)
  • iCloud Passwords (latest 3.1.25)
  • LastPass (latest 4.146.1)
  • LogMeOnce (latest 7.12.4)
  • KeePassXC-Browser (up to 1.9.9.2)

  • Pairing vulnerabilities in other tools like NordPass, Proton Pass, RoboForm, Enpass, and Keeper have also been noted

  • Fixed Extensions:

  • Dashlane (fixed in version 6.2531.1)
  • Enpass (fixed in version 6.11.6)
  • Keeper (fixed in version 17.2.0)
  • NordPass (fixed in 5.13.24)
  • Proton Pass (fixed in 1.31.6)
  • RoboForm (fixed in 9.7.6)

Note: Desktop and mobile applications are unaffected; the vulnerability specifically targets web browser extensions.

Why Are Some Extensions Still Vulnerable?

While several providers have addressed the flaw through updates, othersโ€”including

Hubsadmin

Leave a Reply

Your email address will not be published. Required fields are marked *