Independent researcher Marek Tóth presented at DEF CON 33 a new attack technique called DOM-based Extension Clickjacking that impacts popular browser-based password manager extensions. The flaw allows attackers to exploit injected DOM elements to trick users into unknowingly autofilling and exposing sensitive data such as credentials, TOTP codes, credit card details, and personal information. Tens of millions of users are potentially at risk.
Vulnerability Details
- DOM-based clickjacking manipulates UI elements injected into the DOM by browser extensions, setting their opacity to zero or overlaying them with fake elements.
- A single click on an attacker-controlled site (e.g., closing a cookie banner) can trigger autofill of stored data into invisible forms, which are then exfiltrated to a remote server.
- 11 password managers were tested, and all were initially vulnerable to some form of the attack.
At-Risk Data
- Login credentials (username, password).
- Two-Factor Authentication (TOTP) codes.
- Passkeys in some scenarios (via signed assertion hijacking).
- Credit card details (number, expiration, CVV).
- Personal data (name, email, phone, address, DOB).
Vulnerable Products (as of disclosure)
- Still Vulnerable: 1Password (8.11.4.27), Apple iCloud Passwords (3.1.25), Bitwarden (2025.7.0), Enpass (6.11.6), LastPass (4.146.3), LogMeOnce (7.12.4).
- Patched: Dashlane, Keeper, NordPass, ProtonPass, RoboForm.
Impact
- An attacker can exfiltrate sensitive data with as little as one user click.
- Attack scenarios include:
- Direct credential/credit card theft from an attacker’s fake site.
- Credential theft on trusted domains via XSS, cache poisoning, or subdomain takeover.
- Hijacking passkey authentication flows where session-bound challenges are not enforced.
- Estimated 40 million installations across affected extensions.
Mitigation & Recommendations
- Users:
- Disable or restrict autofill functionality; prefer copy/paste for sensitive data.
- Configure extension site access to “on click” in Chromium-based browsers.
- Verify you are on the correct domain before using autofill.
- Ensure auto-updates are enabled for all extensions.
- Developers:
- Use closed Shadow DOM and MutationObservers to prevent unauthorized style changes.
- Detect overlaying elements or parent DOM opacity manipulation.
- Implement session-bound challenges for passkeys.
- Consider requiring explicit user confirmation dialogs for sensitive autofill operations.
Conclusion
DOM-based extension clickjacking demonstrates that clickjacking remains an active threat, not only for web applications but now also for widely used browser extensions. With minimal interaction, attackers can bypass protections and harvest sensitive information. Until all vendors patch their extensions, users of vulnerable password managers should disable autofill and exercise caution when browsing unfamiliar or suspicious sites.
References
