A reliable password manager is one of our essential recommendations as part of your cybersecurity toolkit, alongside a VPN and antivirus software. However, a Czech Republic-based security researcher, Marek Tóth, recently revealed at Defcon 33 that a clickjacking attack could be used to steal data from several password managers. Data that could be captured from your password manager through a specific clickjacking attack includes credit card information, personal data, usernames and passwords, passkeys or time-based one-time passwords.
Here’s what you need to know, including how the vulnerability works, which password managers are currently susceptible and what you can do to stay safe.
A web-based clickjacking attack could be used to capture sensitive data from password managers
Clickjacking is an attack that relies on a user carrying out an action — like clicking on a button — with the belief that the user is performing one thing when they’re really doing something else. For example, you might see a button on a website encouraging you to download a plugin or firmware update, but instead of downloading whatever’s being promised, it actually sends you a web page or app run by an attacker. Clickjacking can be used to capture your data, like usernames, passwords and banking information.
According to Tóth’s research, some password managers are susceptible to an exploit that could mean that if you unwittingly click on a web-based element that’s part of an attacker’s clickjacking scheme, your usernames, passwords and even banking information could be shared. For instance, you might click on what you think is an innocent CAPTCHA, and while you’re solving the clickjacking CAPTCHA, your password manager autofill launches, selects all of your saved items and sends that data to an attacker. But as Tóth demonstrated, you won’t see your password manager auto-fill launching, because the attacker’s site has set the opacity such that your password manager’s windows are invisible to you.
This isn’t really a password manager-specific vulnerability, but a web-based attack
While Tóth demonstrated how a Document Object Model, or DOM, based attack could be used to execute malicious code in your browser, it’s technically a web-based attack that websites and browsers are susceptible to, not a vulnerability exclusive to password managers. Tóth provides potential solutions for mitigating the vulnerability, and states that “the safest solution is to display a new pop-up window” when auto-fill happens, although he concedes “…that will be very inconvenient for users.” There’s currently some online debate — 1Password told the Socket Security Team that it feels that some of Tóth’s proposed solutions could be circumvented easily, and that a pop-up informing users before auto-filling would be the only way to truly warn against a clickjacking attack.
At the time of writing, NordPass, ProtonPass, RoboForm, Keeper and Dashlane have implemented fixes. LastPass has implemented certain mitigations, including a pop-up notification that shows up before auto-filling personal details and credit card information. Bitwarden, Enpass and iCloud Passwords reportedly have in-progress fixes coming, while 1Password and LogMeOnce don’t yet.
Here’s what you can do to stay safe
The good news is that several password managers have already taken action, with patches rolled out from NordPass, ProtonPass, Keeper and RoboForm. But you’ll want to make sure you’re using the latest version of each app to ensure you’ve got the patch fix installed.
Because clickjacking isn’t a unique attack to password managers, you’ll want to exercise good judgment and caution. Be careful with pop-ups, banner ads and CAPTCHAs, especially if they seem suspicious. You can try hovering your cursor over on-page elements without clicking, and the bottom of your web browser window should show you the link awaiting you, so you can see if it seems legitimate.
Since the clickjacking attack relies on auto-fill, you could disable your password manager’s auto-fill settings, instead relying on copying and pasting your various account credentials. That way, if you fall prey to a clickjacking attack that tries to auto-fill information from your password manager, it may not be successful.
If you’re concerned that your passwords have been compromised, you can make new ones. Most password managers include password generators, but if you’d prefer to create your own, I recommend abiding by the US Cybersecurity and Infrastructure Security Agency’s recommendations to make your passwords at least 16 characters long, including a mix of letters, numbers and special characters.
In addition to a password manager, you should be using a VPN when you’re worried about privacy — like hiding your web browsing and app activity from your ISP — as well as antivirus software. Many VPNs and antivirus apps include ad, tracker and pop-up blockers, which may help protect against malicious sites or links. You can often bundle cybersecurity software for a convenient package, although there are pros and cons to bundling. While we typically advise against many free services, we do vouch for select free VPNs and antivirus software.
Although I don’t think you need to panic and jump ship, if you’re truly concerned, you can always switch to a password manager that’s rolled out a patch.
For more, learn why you should be using a password manager and how to set one up.
