{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/516608#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nBrowser-extension password managers, which autofill sensitive information on websites, can be exposed to various clickjacking attacks. These attacks exploit the trust relationship between a web page and the user-interface elements injected by the extension. [Recent studies](https://socket.dev/blog/password-manager-clickjacking) show that Document Object Model (DOM-level) manipulation can bypass many standard clickjacking defenses, leaving several password managers at risk when users navigate to a malicious or compromised website. Users should promptly install vendor updates and carefully weigh the security risks of using password-manager features such as autofill of sensitive information that trade convenience for potential exposure\r\n\r\n### Description\r\nClickjacking is a malicious technique that usually involves tricking a user into clicking something that looks safe or normal to interact with so that an attacker can gain some kind of sensitive information or perform an action that they otherwise would not be able to do. \r\n\r\nThough clickjacking is a well known attack that has many mitigations across many product areas, novel methods of execution still appear. Unlike [traditional iframe-based clickjacking attacks](https://portswigger.net/web-security/clickjacking), DOM-based clickjacking exploits the fact that browser extensions can sometimes allow interactive elements to be injected directly into a website's DOM. DOM is desribed in stands [MDN Web Docs](https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model/Introduction) as\r\n> the data representation of the objects that comprise the structure and content of a document on the web. It represents the page so that programs can change the document structure, style, and content. The DOM represents the document as nodes and objects; that way, programming languages can interact with the page (MDN Web Docs). \r\n\r\nSince JavaScript has the ability to manipulate the visual elements injected by a browser extension, these elements can be made invisible to the user while preserving click handlers so that attackers can trick users to interact with password manager extension functions. This behavior can be guided by website elements that users are already feel safe and familiar with such as cookie consent banners, pop-up ads, or CAPTCHA prompts. \r\n\r\nPassword managers inject user-interface elements into web pages to enable autofill functionality, creating an inherent tension between usability and security. Clickjacking exploits rely on user interaction with maliciously crafted content, making responsibility for mitigation a shared concern. Effective defenses require coordinated effort: web developers must implement clickjacking protections, password-manager vendors must harden extension behavior, and users must understand and manage residual risk. No single party can eliminate the vulnerability on its own.\r\n\r\n### Impact\r\nSuccessful clickjacking of a browser-extension password manager could allow an attacker to trick users into unintentionally revealing or auto-filling credentials, leading to unauthorized access to sensitive accounts and stored passwords. Because DOM-based techniques can bypass common defenses, multiple browsers and password-manager vendors remain variably exposed while mitigations continue to evolve.\r\n\r\n### Solution\r\nReview the Vendor Information section for any browser or password manager extension specific updates and mitigation steps. Apply the latest updates from both the browser and the password-manager extension vendors. Where applicable, users should consider disabling or limiting autofill functionality or adjusting related settings to reduce exposure when concerned about clickjacking exposure. Users must also recognize that the level of control may vary from product-to-product, and that clickjacking attempts may occur on trusted websites if they have been compromised. \r\n\r\n### Acknowledgements\r\nThanks to Marek Tóth in presenting the research and Jonathan Leitschuh for reporting this research to us. This document was written by Ben Koo.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/516608"},{"url":"https://marektoth.com/blog/dom-based-extension-clickjacking/","summary":"https://marektoth.com/blog/dom-based-extension-clickjacking/"},{"url":"https://socket.dev/blog/password-manager-clickjacking","summary":"https://socket.dev/blog/password-manager-clickjacking"},{"url":"https://www.cnet.com/tech/services-and-software/you-may-not-want-to-use-your-password-managers-auto-fill-heres-why-and-what-to-do-instead/","summary":"https://www.cnet.com/tech/services-and-software/you-may-not-want-to-use-your-password-managers-auto-fill-heres-why-and-what-to-do-instead/"},{"url":"https://www.bleepingcomputer.com/news/security/major-password-managers-can-leak-logins-in-clickjacking-attacks/","summary":"https://www.bleepingcomputer.com/news/security/major-password-managers-can-leak-logins-in-clickjacking-attacks/"},{"url":"https://www.securityweek.com/password-managers-vulnerable-to-data-theft-via-clickjacking/","summary":"https://www.securityweek.com/password-managers-vulnerable-to-data-theft-via-clickjacking/"}],"title":"Multiple Password Managers Vulnerable to Clickjacking Attacks","tracking":{"current_release_date":"2025-10-17T11:46:34+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#516608","initial_release_date":"2025-10-17 11:46:34.739700+00:00","revision_history":[{"date":"2025-10-17T11:46:34+00:00","number":"1.20251017114634.1","summary":"Released on 2025-10-17T11:46:34+00:00"}],"status":"final","version":"1.20251017114634.1"}},"vulnerabilities":[{"title":"A clickjacking technique where a malicious script manipulates UI elements that browser extensions inject into the DOM by making them invisible using javascript enables attackers to steal user credentials from multiple password managers.","notes":[{"category":"summary","text":"A clickjacking technique where a malicious script manipulates UI elements that browser extensions inject into the DOM by making them invisible using javascript enables attackers to steal user credentials from multiple password managers."}],"ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#516608"}]}],"product_tree":{"branches":[]}}