Nevertheless,
These 6 password managers put:
Six password managers have a critical flaw. For example, By exploiting this vulnerability with a trapped web page. Nevertheless, a hacker is able to steal your personal data, as well as information from your bank card.
Marek Tóth, security researcher, discovered a flaw in the main password managers market. Similarly, As the expert explained during a conference at DEF Con 33. However, the vulnerability makes it possible to steal account identification information, two factors and credit card data, including the CVV code.
Read also: these 5 Android password managers have a big safety problem
How can password managers disclose your data? – These 6 password managers put
Concretely, an attacker could exploit the fault to carry out a “clickjacking” operation. Similarly, It is a cyber attack during which a pirate User for him to click on something without realizing it. Nevertheless, granting them access to sensitive data.
these 6 password managers put
In this case. For example, the attacker will push the target to click on a button that will activate Self-filling of the password manager. For example, To achieve its ends, the pirate must make a point a trapped web page which includes invisible HTML elements. Meanwhile, These elements. such as cookie banners, pop-up windows, or false captha, are designed to deceive the target and click on a button that seems harmless. By visiting this malicious site, the victim communicates a host of data sensitive to his knowledge. To trap a site, the attacker can use an XSS fault (cross-site scripting). It allows a third party d’Inject your own JavaScript code on a site.
Read also: beware. a formidable malware tackles password managers
Six password managers always vulnerable
The researcher tested Eleven managers of passwords, namely Trousseau iCloud, Lastpass, Bitwarden, 1Password, Dashlane, Keeper, Nordpass, Proton Pass, Roboform, Enpass, and Logmeonce. these 6 password managers put He realized that all the managers tested by him were vulnerable.
Some of the managers have promptly taken measures to correct the shot. This is the case of Dashlane, Keeper, Nordpass, Protonpass and RoboForm. On the other hand, the other six managers are still vulnerabledespite the alerts issued by Marek Tóth in April 2025.
Socket researchers were able to corroborate Tóth’s conclusions. According to them. the versions of 1Password, Bitwarden, Enpass, iCloud Passwords, Lastpass and Logmeonce for browser are indeed likely to disclose personal data sensitive in certain scenarios. In total, more than 40 million users are in danger. The report advises all managers to display “Systematically a confirmation window before any automatic filling”.
Currently current fixes from certain managers
Despite the risks. 1Password minimized the importance of the discovery, believing that “This web attack technique has been known for a long time and affects both websites and browser these 6 password managers put extensions”. The concern “Above all. comes from the way browsers display the pages, which means that no extension alone can provide a complete technical solution”advance the password manager, questioned by Bleeping Computer.
1Password “Already requires confirmation before automatically filling out payment information. and in our next version, we extend this protection so that users can choose to activate confirmation alerts for other types of data”. Lastpass and Logmeonce work on a corrective. In mirror of 1Password. Lastpass adds having “Integrated certain protections, such as an alert that is displayed before any automatic filling of bank cards or personal data on websites”. Bitwarden specifies that the 2025.8.0 version, deployed this week, should climb the fault.
While waiting for all managers to correct vulnerability, we highly recommend that you Disable automatic filling of your password manager. Instead, go through the clipboard to copy/ paste your passwords. This temporary precaution will prevent a these 6 password managers put trapped web page from manipulating you to get personal data. Moreover. “Check that automatic updates are activated and that you use the latest versions” of your manager, advises Marek Tóth.
🔴 To not miss any 01net news, follow us on Google News and Whatsapp.
Source : Marek Tóth
Further reading: Double camera, immersive screen, 128 GB: the Huawei P30 Lite Cartonne and it is less than 65 euros – Towards a connection without password, the tech giants accelerate – Nothing is preparing cheaper smartphones for small budgets – LAB – Our tablet tests now include a sustainability note – Windows 11: Microsoft AI can now see anything on your screen.