Cybersecurity

8158 readers

414 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

Zero-Day Vulnerability allow attackers to steal users data Found in Password Managers( 1Password, Bitwarden, LastPass, Enpass, iCloud Passwords, and LogMeOnce remain unpatched— still vulnerable) (marektoth.com)

submitted 5 days ago* (last edited 5 days ago) by Pro@programming.dev to c/cybersecurity@sh.itjust.works

7 comments fedilink hide all child comments

cross-posted from: https://programming.dev/post/36006277

Independent verification and publication by Socket Security.

Fixed: NordPass, ProtonPass, RoboForm, Dashlane, Keeper

Still vulnerable: Bitwarden, 1Password, iCloud Passwords, Enpass, LastPass, LogMeOnce

Key Points

A new clickjacking technique where a malicious script manipulates UI elements that browser extensions inject into the DOM by making them invisible using javascript.

In my research, I selected 11 password managers that are used as browser extensions and the result was that all were vulnerable to "DOM-based Extension Clickjacking". Tens of millions of users could be at risk (~40 million active installations).

A single click anywhere on the attacker's website could leak credit card details including security codes (6 out of 9 were vulnerable) or exfiltrate stored personal information (8 out of 10 vulnerable).

All password managers filled credentials not only to the "main" domain, but also to all subdomains. An attacker could easily find XSS or other vulnerabilities and steal the user's stored credentials with a single click (10 out of 11), including TOTP (9 out of 11). In some scenarios, passkey authentication could also be exploited (8 out of 11).

All vulnerabilities were reported in April 2025 with a notice that public disclosure will be in August 2025. Some vendors have still not fixed described vulnerability: Bitwarden, 1Password, iCloud Passwords, Enpass, LastPass, LogMeOnce. Users of these password managers may still be at risk (~32.7 million active installations).

For Chromium-based browser users it is recommended to configure site access to "on click" in extension settings. This configuration allows users to manually control autofill functionality.

The described technique is general and I only tested it on 11 password managers. Other DOM-manipulating extensions are probably vulnerable (password managers, crypto wallets, notes etc.).

you are viewing a single comment's thread
view the rest of the comments

[–] drspod@lemmy.ml 10 points 4 days ago

It's a clever attack but if I understand correctly it requires malicious script to be injected into a trusted webpage (ie. one that you normally log in to). This limits the utility of the attack, since any script injection vulnerability would already allow exfiltration of credentials that are entered manually when you log in to the site, password manager or not. The difference with this attack is that the attacker doesn't have to wait for you to log in, they just trick the password manager into autofilling the credentials straight away.