Your password managers trapped by a simple invisible click | Cybersecurity

You click on what seems to be a perfectly normal button on a completely normal website & mldr. Moreover, Except that in reality, you have just given access to all that is stored in your password manager. For example, This is exactly what a new clickjacking technique allows discovery by researcher Marek Tóth. In addition, which potentially affects 40 million users worldwide.

If you use 1Password, Bitwarden, Lastpass, Enpass, iCloud Passwords or Logmeonce, bad news: They are all vulnerable. For example, In fact, out of the 11 password managers tested, all presented this flaw. Therefore, Some have already been patched (Dashlane, Keeper, Nordpass, Protonpass and RoboForm), but for others, it’s always Open Bar for hackers.

According to Marek Tóth’s analysis, attackers exploit how browser extensions inject their elements into web pages. Similarly, They create an invisible layer over the buttons of the password manager. However, when your password managers trapped simple you think you are clicking on a completely innocent element of the page, you actually activate the self-filling (autofill) of your manager.

A single click is enough. In addition, Pirates can then recover your connection identifiers. However, your double authentication codes, your bank card numbers with the security code, and even in some cases, divert your passkeys. All without you realizing anything.

Here is a demo with the trap:

Haven’t seen anything?

So watch this video now:

According to BleepingCompute, the reactions of the companies concerned are … disappointing. 1Password classified the report as “excluding perimeter”. Lastpass marked it as “informative”, which in corporate language means “we don’t care”. Logmeonce did not even respond to researchers. Only Bitwarden claims to have corrected the problem in the 2025.8.0 version, but the tests show that this is not completely the case.

What is really a shame is that this vulnerability was avoidable. Managers automatically fulfill identifiers not only your password managers trapped simple in the main field. but also on all sub-domains so if a pirate finds a flaw XSS on any sub-domain of a site, it can steal all your identifiers stored for this site.

Socket, a cybersecurity company, checked the results and confirms the extent of the problem. The researchers discovered that 6 out of 9 managers could disclose the details of the bank card. 8 out of 10 personal information, and 10 out of 11 connection identifiers.

So how to protect yourself? First thing, Disable the Autofill. Yes, it’s boring, but it’s the only effective way for the moment. Use the copy and paste for your passwords. And on chromium -based browsers (Chrome. Edge, Brave), configure access to the sites of your extensions on “at the click” rather than author. It gives you control on when the extension can interact with the page.

For the most your password managers trapped simple paranos (and you cannot blame you), activate confirmation requests before each automatic filling if your manager allows. It is an additional friction, but at least you will see when something tries to access your data.

The most stupid in this story is that password managers are supposed to protect us. but this vulnerability transforms our shield into Achilles heel. The developers want to make their tools easy to use. which is laudable but each shortcut taken is a potential door for attackers. And when companies ignore the security reports because they consider them “outside the scope”. it is users who risk large & mldr;

In short, waiting for all managers to correct this flaw, stay vigilant. Too much click and your whole life can switch.