Six major password managers with tens of millions of users are currently vulnerable to unpatched clickjacking flaws that could allow attackers to steal account credentials, 2FA codes, and credit card details.
Threat actors could exploit the security issues when victims visit a malicious page or websites vulnerable to cross-site scripting (XSS) or cache poisoning, where attackers overlay invisible HTML elements over the password manager interface.
While users believe they are interacting with harmless clickable elements, they trigger autofill actions that leak sensitive information.
The flaws were presented during the recent DEF CON 33 hacker conference by independent researcher Marek Tóth. Researchers at cybersecurity company Socket later verified the findings and helped inform impacted vendors and coordinate public disclosure.
The researcher tested his attack on certain versions of 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce, and found that all their browser-based variants could leak sensitive info under certain scenarios.
Exploitation methods
The main attack mechanic is to run a script on a malicious or compromised website that uses opacity settings, overlays, or pointer-event tricks to hide the autofill dropdown menu of a browser-based password manager.
Manipulating the password manager's element opacity
Source: Marek Tóth
The attacker then overlays fake intrusive elements (e.g. cookie banners, popups, or CAPTCHA) so that the user’s clicks fall on the hidden password manager controls, resulting in completing the forms with sensitive information.
... continue reading