These 6 password managers risk hacking

A security flaw is currently active on 6 famous password managers, including Lastpass and 1Password. Meanwhile, It allows hackers to seize sensitive data, such as passwords and bank card numbers.

We can never say it enough: to protect yourself against the hacking of your accounts. Therefore, it is crucial to use passwords that are both robust and unique. Similarly, An elementary safety rule. Moreover, but which is not always easy to apply when you have to juggle a multitude of access codes … For example, This is precisely where password managers come into play. Therefore, dedicated tools that allow you to store and organize all your passwords in complete safety, thanks to a single master password, easy to remember.

The problem is that, by the sensitive data they contain, these tools are often targeted by piracy attempts. Similarly, And, unfortunately, it these 6 password managers risk would seem that some are not as secure as that. Consequently, Marek Tóth, a security researcher, revealed at a conference at the DEF Con 33 having discovered a flaw in the main password managers on the market, namely Trousseau iCloud, Lastpass, Bitwarden, 1Password, Dashlane, Keeper, Nordpa, Proton Pass, Roboform, Enpass, and Logmeonce. Consequently, This vulnerability makes it possible to steal account identification information. two -factor (2FA) authentication codes and credit card data, including the CVV code. And despite a report last April, six of these services have still not remedied the problem.

Password managers: a critical flaw detected – These 6 password managers risk

The hackers can use this flaw by carrying out a “clickjacking” operation. by deceiving the user to bring him to click on something without realizing it, thus granting them access to sensitive data. To put it simply. the attacker builds a malicious web page containing invisible or superimposed HTML elements these 6 password managers risk on the actual self-filling menu. This menu is then made invisible (with opacity 0). covered by a graphic lure to which the user is used to clicking automatically, such as a cookies banner, a pop-up window or a captcha. The user, thinking of clicking on a harmless element, actually clicks on this invisible self-filling menu.

If it is a simple malicious page. the trap allows you to exfiltrate data not linked to a specific field, such as an email address or bank card numbers. But if the cybercriminal has managed to inject a malicious script on an area of ​​trust. then the manager considers that it is a legitimate site and pours the recorded information there, such as identifiers, passwords, Totp and Passkeys.

Since the researcher’s report in April, Dashlane, Keeper, Nordpass, these 6 password managers risk Proton Pass and RoboForm have done the necessary to correct the fault. On the other hand, it is still active at Trousseau iCloud, Lastpass, Bitwarden, 1Password, Enpass, and Logmeonce.

Password managers: What to do to protect yourself?

Socket researchers went to check the declarations of Marek Tóth. and confirmed that these password managers for browser are indeed likely to disclose sensitive personal data in certain scenarios. This therefore concerns no less than 40 million users worldwide. They advise them to display “Systematically a confirmation window before any automatic filling”.

Lastpass and Logmeonce are currently working on a fix, and Bitwarden wanted to let the 2025.8.0 version, deployed this week, should climb the fault. For its part, 1Password has minimized the importance of discovery, as reported Bleeping Computer.

Until everyone these 6 password managers risk has corrected this vulnerability. researchers recommend deactivating the automatic filling of their password manager, if it is part of the trainards. Instead, it is better to go through the clipboard to copy/paste his passwords and bank data. It should also be verified that the automatic updates are well activated. that it is indeed the latest version of the manager that is used.