11 of the 11 password managers tested – 1Password, Bitwarden, LastPass, Dashlabe, iCloud Passwords and six more – were vulnerable to DOM-based Extension Clickjacking in the default configuration. That's it. No exceptions. Marek Tot showed this at DEF CON 33 in August 2025. One click of the user on a controlled attacking site - and credit cards, TOTP secrets, password logins leak through a legitimate password manager extension. The total audience of vulnerable extensions is about 40 million users (according to the total data of the Chrome Web Store; the figure includes possible intersections). 1Password and LastPass marked the report as "informative" and refused to release a patch. For an SOC engineer serving a corporate environment with the mandatory expansion of the password manager, it is a data leak vector that is not caught either EDR or standard SIEM rules. And that's really unpleasant.
Attacks on password managers: kill chain and business logic
Compromised vault password manager is access to dozens of corporate and personal services, TOTP secrets to bypass MFA, payment card data. In MITRE ATT&CK, this is the technique T1555.005 - Password Managers (Crential Access) But for Blue Team, it is critical to see a full chain, not an isolated technique:
1. Initial Access - the victim visits a malicious site or a legitimate resource with XSS-vulnerability. XSS - classic A03:2021 (Injection) according to OWASP Top 10.
2. Credential Access - DOM-based Extension Clickjacking pulls out of the extension of the password manager of the login, passwords, TOTP, card data. Combination T155.005 and T1212 - Exploitation for Credential Access.
3. Valid Accounts - stolen credentials are used to enter corporate services. T1078 - Valid Accounts: initial access, consolidation, increased privileges.
4. Downstream - credential stuffing for all services from vault, element movement within the infrastructure, financial fraud with stolen cards.
There are no network artifacts between steps 1 and 3 within the corporate network. Disclosure of the account takes place on the user's browser side - below the perimeter of EDR and SIEM. Alert can only work when the stolen credentials are already used, and then provided that the baseline is built by legitimate activity. Insider-aspecta is doubly dangerous: compromised through clickjacking credentials look like legitimate activity. This is the same scenario of a "compromised legitimate host" - SOC sees a normal account performing normal actions, with an anomaly, only in geolocation or user-agent.
According to the data cited by passwork.ru with reference to the Ministry of Digital Resources, the direct damage from cyber attacks in 2024 reached 160 billion rubles (the primary source requires verification). More than 50% of successful attacks are related to the human factor - weak passwords and their reuse. Password managers were created to solve this problem. Irony: Password manager vulnerability turns the solution into an additional attack vector. With the tightening of responsibility for leakage of personal data and the introduction of negotiable fines, the disassemblement of the corporate repository of passwords is not only operational, but also legal risk.
DOM-based Extension Clickjacking: How Password Manager Hacks
The classic web-clickjacking uses iframe: the target site is loaded into an invisible frame, the user's clicks are intercepted. Protection has long been standardized: headlines X-Frame-Options, Content-Security-Policy: frame-ancestors, cookie attribute SameSite=Lax. Most bug bounty programs have moved iframe-clickjacking to the "out of" section.
He showed a fundamentally different approach. Extensions of password managers inject their UI elements directly into the DOM pages: the falling auto-complete menus, icons in the input fields, overlays with a proposal to fill out the form. These elements are part of the DOM, and JavaScript on the page can freely manipulate them. The vulnerability of password auto-filling is not in the autofill-mechanism itself, but in the fact that the expansion gives its UI under the control of a potentially hostile context. In fact, the expansion itself opens the door.
The attack works in four steps:
1. Password Manager Extension detects input and injectit field in DOM Autocomplete - Duplicand-down Menu or Button
2. The malware on the page makes the expansion element invisible: opacity: 0, manipulation z-index, overlay overlay overlay
3. The user sees a fake UI - cookie banner, captcha "Confirm that you are not a robot", the "Cloak ad" button - and clicks
4. The real click falls on a hidden element of expansion and activates autocomplete by sending the data to the attacker
JavaScript:
const extDropdown = document.querySelector('[data-pm-autofill]');
if (extDropdown) {
extDropdown.style.opacity = '0';
extDropdown.style.position = 'fixed';
const fakeUI = document.createElement('div');
fakeUI.textContent = 'Accept cookies to continue';
fakeUI.style.cssText = 'position:fixed;z-index:9999;
document.body.appendChild(fakeUI);
}
Protective Headlines X-Frame-Options and CSP frame-ancestors It's useless here. The extension works in the context of the page, its DOM elements are indistinguishable from the pages elements in terms of JavaScript. The browser does not isolate the DOM set up extensions from the scripts of the page – and this is an architectural problem, not a particular vendor bug.
He describes several positioning options: partial overlay, full overlay, solid position and under the mouse cursor - UI-element, following the cursor. Most scenarios require one clique from the victim. The user is accustomed to click on cookies-banners and captcha - the attacker exploits this habit. One click. That's it.
Context of Applicability and Limitations: DOM-based Extension Clickjacking works against any extension, injectable elements in DOM, - password managers, crypto-wallets, notes extensions. The technique does not work against embedded passwords in the browser: Google Password Manager uses native autofill Chrome, not DOM injections through the extension API. Google Password Manager vulnerabilities exist, but they are of a different nature T1555.003 (Credentials from Web Browsers), where the attack surface is associated with storage and access mechanisms for credentials at the level of the browser process, and not DOM manipulations.
Leakage of passwords from the manager: what exactly the attacker steals
He tested 11 extensions: 1Password, Bitwarden, Dashlane, Enpass, Keeper, LastPass, LogMeOnce, NordPass, ProtonPass, RoboForm and iCloud Passwords (as an extension for Chrome/Firefox). The sample is based on the PCMag rating "The Best Password Managers for 2025" plus iCloud Passwords (about 5 million users according to the Chrome Web Store).
The denominators in the table are different: not all managers support all data types. Two out of eleven do not store credit cards in the extension, one does not support the section of personal data, two do not store TTP, three do not implement passkeys.

Two categories of attacks vary in complexity. Credit cards and personal data can be stolen when the victim’s visit to a fully controlled attacking site – without exploiting vulnerabilities on third-party resources. To steal logins, passwords and TOTP, an additional vector is needed: XSS on the site to which a password is saved, or subdomain gainover. He separately emphasizes: all the tested managers filled with credentials not only for the main domain, but also for all subdomains. XSS on any subdomain of a large service gives access to credentials of the main domain. Find XSS on some forgotten dev.example.com - task for a couple of hours for a decent pentester.
Corrigendum status (January 2026): Dashlane, NordPass, ProtonPass, Keeper and RoboForm have fixed the vulnerability. Bitwarden, Enpass and LogMeOnce have released patches (exact versions specify in the changelog vendor: bitwarden.com/help/releasenotes, enpass.io/changelog, logmeonce.com/release-notes) The vulnerability is still not fixed in 1Password, iCloud Passwords and LastPass – presumably tens of millions of users at risk.
VRP bug bounty, Google Password Manager and vendor response to vulnerabilities
The reaction of vendors to the Tota report is an indicative case for analyzing the vulnerabilities of password vaults and approaches to the crisis disclosure.
1Password I noticed "informative" According to Socket.dev: "Clickjacking the autofilling action for the personal identification has has been more concerned about the report in the reports before, and will be not again at this time".“Clickjacking cases of using the personal data field autocomplete function by clickjacking has already been reported in previous programs, and they will not be considered at present.” The researchers reported this so often that 1Password brought the problem to the “expert of” action. CISO 1Password Jacob DePrist told SecurityWeek: "Because of the underlying issue lies in the browsers render webpages, we believe there's no comprehensive technical fix that extensions can on their own."“Since, the main problem is the way web pages are displayed by browsers, we believe that there is no complete technical solution that could provide browser extensions on their own.” Vendor position: This is a browser architecture problem, not ours.
LastPass He also noted the report as "informative". Alex Cox, director of threat intelligence LastPass, admitted that the study "Tims and Challenges to Face All Registrive Passion Managers""This highlights the broader problem that all password managers face.". LastPass has implemented partial protection - pop-up before autofilling credit cards - but not for logins and passwords. That is, the maps were protected, but credentials - not. Priorities are interesting.
LogMeOnce did not respond to the appeal of the researcher at all. The patch (7.12.7) was released only after a public disclosure on DEF CON 33. Silence to public shame is a classic.
Against this background, Dashlane, NordPass, ProtonPass and Keeper released patches promptly. The approach to processing VRP bug bootty was a key differential: credential control security flaws of one class - a diametrically different reaction.
Bug bow and Google Password Manager - a separate story. Google Password Manager is a built-in component of Chrome, no extension. Google’s Password Manager security reports are processed through Google VRP with CVE assigning a CVE and a public disclosure on a fixed timeline. Chrome VRP provides awards up to $ 250 000+ for sandbox escape (according to bughunters.google.com). Google VRP report goes through a full cycle - from triage to CVE and patch. The contrast with "informative" from 1Password and LastPass is striking. This does not mean that Google Password Manager is free from vulnerabilities, but the process of responding to them is fundamentally different.
For the corporate choice of password manager, this analysis gives a specific criterion: not only the product functions, but also how the vendor processes bug backstreams, whether credential manager security flaws recognizes and how quickly it releases patches. I would put this criterion higher in place of the CISO than the presence of a beautiful dasboard.
Attacks on password managers: kill chain and business logic
Compromised vault password manager is access to dozens of corporate and personal services, TOTP secrets to bypass MFA, payment card data. In MITRE ATT&CK, this is the technique T1555.005 - Password Managers (Crential Access) But for Blue Team, it is critical to see a full chain, not an isolated technique:
1. Initial Access - the victim visits a malicious site or a legitimate resource with XSS-vulnerability. XSS - classic A03:2021 (Injection) according to OWASP Top 10.
2. Credential Access - DOM-based Extension Clickjacking pulls out of the extension of the password manager of the login, passwords, TOTP, card data. Combination T155.005 and T1212 - Exploitation for Credential Access.
3. Valid Accounts - stolen credentials are used to enter corporate services. T1078 - Valid Accounts: initial access, consolidation, increased privileges.
4. Downstream - credential stuffing for all services from vault, element movement within the infrastructure, financial fraud with stolen cards.
There are no network artifacts between steps 1 and 3 within the corporate network. Disclosure of the account takes place on the user's browser side - below the perimeter of EDR and SIEM. Alert can only work when the stolen credentials are already used, and then provided that the baseline is built by legitimate activity. Insider-aspecta is doubly dangerous: compromised through clickjacking credentials look like legitimate activity. This is the same scenario of a "compromised legitimate host" - SOC sees a normal account performing normal actions, with an anomaly, only in geolocation or user-agent.
According to the data cited by passwork.ru with reference to the Ministry of Digital Resources, the direct damage from cyber attacks in 2024 reached 160 billion rubles (the primary source requires verification). More than 50% of successful attacks are related to the human factor - weak passwords and their reuse. Password managers were created to solve this problem. Irony: Password manager vulnerability turns the solution into an additional attack vector. With the tightening of responsibility for leakage of personal data and the introduction of negotiable fines, the disassemblement of the corporate repository of passwords is not only operational, but also legal risk.
DOM-based Extension Clickjacking: How Password Manager Hacks
The classic web-clickjacking uses iframe: the target site is loaded into an invisible frame, the user's clicks are intercepted. Protection has long been standardized: headlines X-Frame-Options, Content-Security-Policy: frame-ancestors, cookie attribute SameSite=Lax. Most bug bounty programs have moved iframe-clickjacking to the "out of" section.
He showed a fundamentally different approach. Extensions of password managers inject their UI elements directly into the DOM pages: the falling auto-complete menus, icons in the input fields, overlays with a proposal to fill out the form. These elements are part of the DOM, and JavaScript on the page can freely manipulate them. The vulnerability of password auto-filling is not in the autofill-mechanism itself, but in the fact that the expansion gives its UI under the control of a potentially hostile context. In fact, the expansion itself opens the door.
The attack works in four steps:
1. Password Manager Extension detects input and injectit field in DOM Autocomplete - Duplicand-down Menu or Button
2. The malware on the page makes the expansion element invisible: opacity: 0, manipulation z-index, overlay overlay overlay
3. The user sees a fake UI - cookie banner, captcha "Confirm that you are not a robot", the "Cloak ad" button - and clicks
4. The real click falls on a hidden element of expansion and activates autocomplete by sending the data to the attacker
JavaScript:
const extDropdown = document.querySelector('[data-pm-autofill]');
if (extDropdown) {
extDropdown.style.opacity = '0';
extDropdown.style.position = 'fixed';
const fakeUI = document.createElement('div');
fakeUI.textContent = 'Accept cookies to continue';
fakeUI.style.cssText = 'position:fixed;z-index:9999;
document.body.appendChild(fakeUI);
}
Protective Headlines X-Frame-Options and CSP frame-ancestors It's useless here. The extension works in the context of the page, its DOM elements are indistinguishable from the pages elements in terms of JavaScript. The browser does not isolate the DOM set up extensions from the scripts of the page – and this is an architectural problem, not a particular vendor bug.
He describes several positioning options: partial overlay, full overlay, solid position and under the mouse cursor - UI-element, following the cursor. Most scenarios require one clique from the victim. The user is accustomed to click on cookies-banners and captcha - the attacker exploits this habit. One click. That's it.
Context of Applicability and Limitations: DOM-based Extension Clickjacking works against any extension, injectable elements in DOM, - password managers, crypto-wallets, notes extensions. The technique does not work against embedded passwords in the browser: Google Password Manager uses native autofill Chrome, not DOM injections through the extension API. Google Password Manager vulnerabilities exist, but they are of a different nature T1555.003 (Credentials from Web Browsers), where the attack surface is associated with storage and access mechanisms for credentials at the level of the browser process, and not DOM manipulations.
Leakage of passwords from the manager: what exactly the attacker steals
He tested 11 extensions: 1Password, Bitwarden, Dashlane, Enpass, Keeper, LastPass, LogMeOnce, NordPass, ProtonPass, RoboForm and iCloud Passwords (as an extension for Chrome/Firefox). The sample is based on the PCMag rating "The Best Password Managers for 2025" plus iCloud Passwords (about 5 million users according to the Chrome Web Store).
The denominators in the table are different: not all managers support all data types. Two out of eleven do not store credit cards in the extension, one does not support the section of personal data, two do not store TTP, three do not implement passkeys.

Two categories of attacks vary in complexity. Credit cards and personal data can be stolen when the victim’s visit to a fully controlled attacking site – without exploiting vulnerabilities on third-party resources. To steal logins, passwords and TOTP, an additional vector is needed: XSS on the site to which a password is saved, or subdomain gainover. He separately emphasizes: all the tested managers filled with credentials not only for the main domain, but also for all subdomains. XSS on any subdomain of a large service gives access to credentials of the main domain. Find XSS on some forgotten dev.example.com - task for a couple of hours for a decent pentester.
Corrigendum status (January 2026): Dashlane, NordPass, ProtonPass, Keeper and RoboForm have fixed the vulnerability. Bitwarden, Enpass and LogMeOnce have released patches (exact versions specify in the changelog vendor: bitwarden.com/help/releasenotes, enpass.io/changelog, logmeonce.com/release-notes) The vulnerability is still not fixed in 1Password, iCloud Passwords and LastPass – presumably tens of millions of users at risk.
VRP bug bounty, Google Password Manager and vendor response to vulnerabilities
The reaction of vendors to the Tota report is an indicative case for analyzing the vulnerabilities of password vaults and approaches to the crisis disclosure.
1Password I noticed "informative" According to Socket.dev: "Clickjacking the autofilling action for the personal identification has has been more concerned about the report in the reports before, and will be not again at this time".“Clickjacking cases of using the personal data field autocomplete function by clickjacking has already been reported in previous programs, and they will not be considered at present.” The researchers reported this so often that 1Password brought the problem to the “expert of” action. CISO 1Password Jacob DePrist told SecurityWeek: "Because of the underlying issue lies in the browsers render webpages, we believe there's no comprehensive technical fix that extensions can on their own."“Since, the main problem is the way web pages are displayed by browsers, we believe that there is no complete technical solution that could provide browser extensions on their own.” Vendor position: This is a browser architecture problem, not ours.
LastPass He also noted the report as "informative". Alex Cox, director of threat intelligence LastPass, admitted that the study "Tims and Challenges to Face All Registrive Passion Managers""This highlights the broader problem that all password managers face.". LastPass has implemented partial protection - pop-up before autofilling credit cards - but not for logins and passwords. That is, the maps were protected, but credentials - not. Priorities are interesting.
LogMeOnce did not respond to the appeal of the researcher at all. The patch (7.12.7) was released only after a public disclosure on DEF CON 33. Silence to public shame is a classic.
Against this background, Dashlane, NordPass, ProtonPass and Keeper released patches promptly. The approach to processing VRP bug bootty was a key differential: credential control security flaws of one class - a diametrically different reaction.
Bug bow and Google Password Manager - a separate story. Google Password Manager is a built-in component of Chrome, no extension. Google’s Password Manager security reports are processed through Google VRP with CVE assigning a CVE and a public disclosure on a fixed timeline. Chrome VRP provides awards up to $ 250 000+ for sandbox escape (according to bughunters.google.com). Google VRP report goes through a full cycle - from triage to CVE and patch. The contrast with "informative" from 1Password and LastPass is striking. This does not mean that Google Password Manager is free from vulnerabilities, but the process of responding to them is fundamentally different.
For the corporate choice of password manager, this analysis gives a specific criterion: not only the product functions, but also how the vendor processes bug backstreams, whether credential manager security flaws recognizes and how quickly it releases patches. I would put this criterion higher in place of the CISO than the presence of a beautiful dasboard.