A newly discovered technique, dubbed DOM-based extension clickjacking, has raised serious concerns about the security of browser-based password managers. Despite their role in protecting sensitive information, such as login credentials, credit card data, and TOTP codes (Time-based One-Time Passwords), this attack demonstrates how a single deceptive click can result in total data compromise.
Decoding DOM‑based Extension Clickjacking
Security researcher Marek Tóth revealed DOM‑based extension clickjacking at DEF CON 33 in August. Tóth demonstrated how malicious websites can exploit password manager browser extensions by manipulating Document Object Model (DOM) elements injected by these extensions.
The core idea involves hiding legitimate autofill interfaces via CSS properties like opacity: 0 or positioning them off-screen. Then, attackers overlay fake UI elements, such as cookie banners or modal windows, to mislead users into clicking what appear to be harmless elements.
These seemingly innocuous interactions can trigger the hidden autofill mechanisms of password managers. As a result, sensitive data like usernames, passwords, credit card details, or even TOTP codes can be captured and exfiltrated by attackers without the user’s awareness.
Scope and Impact
The attack was tested across 11 of the most widely used password manager extensions:
- Credential theft was successful in 10 out of 11 managers.
- Credit card data, including CVV numbers, was extractable in 6 out of 9 tested.
- Personal data exfiltration was possible in 8 out of 10.
- Passkey authentication was compromised in 8 out of 11.
This translates to a potential risk for approximately 40 million users worldwide, based on extension download data from major browser stores. The attack affects not only Chromium-based browsers but also those running other engines.
Exploit Mechanics
The attack consists of several stages:
- User Interaction Hijacking: The attacker presents a fake UI overlay to the user—such as a cookie consent form—designed to encourage interaction.
- Bypassing Overlay Protections: The attacker sets pointer-events: none on the overlay, allowing clicks to pass through to the underlying autofill elements from the password manager.
- Fake Form Injection: Autocomplete-enabled input fields are precisely positioned below the cursor. A JavaScript function captures the autofilled data using onchange events or browser console logging.
- Mouse Tracking: JavaScript dynamically tracks the mouse position to ensure that fake form fields align perfectly with user interactions, further improving the accuracy of the exploit.
In some test cases, login credentials and personal data were stolen with just two user clicks. The attack is particularly dangerous because it can bypass domain restrictions. For example, if a vulnerability exists on a subdomain of a large service, it can be exploited to steal credentials from that service’s main login domain.
While passkeys are generally considered more secure due to domain binding, Tóth found that several implementations—such as those from SK Telecom, Hanko, and Authsignal- could be hijacked via the same method. In systems lacking session-bound challenges, attackers can redirect or intercept signed assertions during the login process.
Vendor Responses
Following responsible disclosure in April 2025, several vendors released patches:
- Fixed: Dashlane, NordPass, Keeper, ProtonPass, RoboForm
- Still Vulnerable (as of August 2025): 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, LogMeOnce
Bitwarden, Enpass, and iCloud Passwords are reportedly working on fixes. However, both 1Password and LastPass have categorized the vulnerability as “informative,” suggesting they do not view it as a high-priority issue.
To reduce the risk of DOM‑based extension clickjacking, users should disable autofill, limit extension access to “on click,” and consider standalone password managers. Developers should implement protection like closed shadow DOMs and mutation observers, though no universal fix exists yet. With real-world demos showing how easily credentials, credit cards, and TOTP codes can be stolen, it’s clear that both users and vendors must act quickly; this is not a legacy issue, but a growing threat.
Related
Source link
