Nearly a dozen password manager browser plugins with millions of users could expose users' personal and credit card details, as well as login credentials, through the novel Document Object Model-based extension clickjacking technique, The Hacker News reports.
Threat actors leveraging the technique would only need to develop a counterfeit website with an unwanted pop-up and an invisible login form that prompts automated credential info input upon closing the pop-up, according to a study presented by independent security researcher Marek Toth at the DEF CON 33 security conference. With only a single click, ten of the 11 tested plugins could have stored user credentials compromised, while nine and eight of the plugins could have had their time-based one-time passwords and passkey authentication pilfered, respectively. Updates have already been issued by Bitwarden to address the clickjacking flaws, while fixes are already being developed by Enpass and iCloud Passwords. LastPass, LogMeOnce, and 1Password have yet to resolve the vulnerabilities.
Threat actors leveraging the technique would only need to develop a counterfeit website with an unwanted pop-up and an invisible login form that prompts automated credential info input upon closing the pop-up, according to a study presented by independent security researcher Marek Toth at the DEF CON 33 security conference. With only a single click, ten of the 11 tested plugins could have stored user credentials compromised, while nine and eight of the plugins could have had their time-based one-time passwords and passkey authentication pilfered, respectively. Updates have already been issued by Bitwarden to address the clickjacking flaws, while fixes are already being developed by Enpass and iCloud Passwords. LastPass, LogMeOnce, and 1Password have yet to resolve the vulnerabilities.
