{"id":164404,"date":"2025-08-21T19:34:51","date_gmt":"2025-08-21T19:34:51","guid":{"rendered":"https:\/\/teknomers.com\/en\/a-single-click-can-mean-saying-goodbye-to-our-passwords-this-vulnerability-impacts-extensions-from-several-password-managers\/"},"modified":"2025-08-21T19:34:53","modified_gmt":"2025-08-21T19:34:53","slug":"a-single-click-can-mean-saying-goodbye-to-our-passwords-this-vulnerability-impacts-extensions-from-several-password-managers","status":"publish","type":"post","link":"https:\/\/teknomers.com\/en\/a-single-click-can-mean-saying-goodbye-to-our-passwords-this-vulnerability-impacts-extensions-from-several-password-managers\/","title":{"rendered":"A single click can mean saying goodbye to our passwords. This vulnerability impacts extensions from several password managers."},"content":{"rendered":"\n

We trust our password managers as if they were digital fortresses. However, according to expert Marek T\u00f3th, just stepping onto the wrong website and clicking where it doesn’t correspond can put that armor at risk. The technique he presented at DEF CON 33<\/a> doesn\u2019t target applications but rather the \u00a0extensions we use daily\u00a0 in our browsers. In his tests, he confirms that this gesture can activate a data theft system without the user even realizing it.<\/p>\n

<\/p>\n

The research, made public at one of the world\u2019s foremost computer security conferences, documents how eleven extensions of password managers could be manipulated to leak data. T\u00f3th stated that he notified the manufacturers of these vulnerabilities in April 2025, and by mid-August, several still hadn\u2019t issued corrections. The study includes practical tests, designed websites to demonstrate the failures, and an estimate of the potential impact: approximately 40 million active installations could be exposed.<\/p>\n

<\/p>\n

How the Attack Works and Why It Affects You<\/h2>\n

The technique described by T\u00f3th is based on hiding the elements that extensions insert on a web page, allowing the user to interact with them without noticing. With minimal changes in opacity or overlap<\/a>, the attacker can trigger \u00a0self-filling actions in the background\u00a0. This can be achieved in various ways, from manipulating the root element of the extension to altering the entire body of the site, alongside several variants using overlap techniques.<\/p>\n

<\/p>\n

The most concerning scenario arises when a trap website isn\u2019t necessary; instead, it suffices to exploit a legitimate web page with a security flaw. In such cases, T\u00f3th explains, attackers can capture login credentials. The risk grows because many managers fill data not only on the original domain but also on subdomains, thus expanding the attack surface without the user noticing.<\/p>\n

<\/p>\n

According to data published by T\u00f3th and collected by Socket<\/a>, as of August 19, password managers such as 1Password, Bitwarden, ENPASS, and even \u00a0iCloud Passwords\u00a0, along with LastPass and LogMeOnce, were still found to be vulnerable. On August 20, Socket updated its report stating that Bitwarden had sent version 2025.8.0 with a patch, and other managers, including NordPass, Dashlane, Keeper, ProtonPass, and RoboForm, had already implemented corrective measures. However, due to the rapidly changing landscape of cybersecurity, this list may change at any time as more companies release updates.<\/p>\n

<\/p>\n

\n
\n
\n

\"Extensions
\n Extension of password manager for the browser<\/span>\n <\/div>\n<\/p><\/div>\n<\/div>\n

Manufacturers’ reactions have been mixed. Socket reports that 1Password and LastPass categorized the ruling as “informative,” a classification typically denoting no immediate changes are necessary. In contrast, Bitwarden, ENPASS, and Apple (iCloud Passwords) acknowledged that \u00a0they are working on updates\u00a0, while LogMeOnce has not responded to attempts for clarification. Some companies admitted the existence of risk connected to external vulnerabilities on the sites visited.<\/p>\n

<\/p>\n

While some developers are still deciding how to respond, T\u00f3th and the Socket team agree that there are practical measures users can take to reduce their exposure. One effective strategy involves disabling manual self-filling and opting for copy-paste instead. It is also advisable to configure auto-fill only for exact URLs, thus preventing it from activating on subdomains. In Chromium-based browsers, users can limit extension access with options like “When clicking,” ensuring explicit authorization for each use.<\/p>\n

<\/p>\n

\n
\n
\n \"Research
\n \"Research
\n The researcher illustrates how invisible elements can overlap on the page, deceiving the user into activating the password manager without realizing it.<\/span>\n <\/div>\n<\/p><\/div>\n<\/div>\n

However, not every situation results in an immediate breach. For an attack to succeed, the extension must be active, the browser must not have restarted, and the user must interact at just the right moment. Moreover, the analysis focused solely on eleven extensions; thus, there is no evidence that \u00a0all solutions\u00a0 available on the market are vulnerable, although the expert warns that this pattern could be replicated in other types of extensions as well.<\/p>\n

<\/p>\n

\n
\n
\n
\n \"This\n <\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n

The weak point lies in the Document Object Model (DOM)<\/a>, the structure that websites use to organize buttons, forms, and menus. Password managers insert their elements into this structure, and when a malicious page manipulates them\u2014whether by moving, hiding, or forcing them\u2014the user risks clicking without realizing it. That same vulnerability extends to other extensions, including cryptocurrency wallets and note-taking applications.<\/p>\n

<\/p>\n

Images | Xataka with Gemini 2.5<\/p>\n

In Xataka | How to change all your passwords according to three cybersecurity experts.<\/p>\n


\n
General News – 2<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

We trust our password managers as if they were digital fortresses. However, according to expert Marek T\u00f3th, just stepping onto the wrong website and clicking where it doesn’t correspond can put that armor at risk. The technique he presented at DEF CON 33 doesn\u2019t target applications but rather the \u00a0extensions we use daily\u00a0 in our […]<\/p>\n","protected":false},"author":1,"featured_media":164405,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36399],"tags":[12403,29474,3048,26036,237,38200,26051,6305,18949],"class_list":["post-164404","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-click","tag-extensions","tag-goodbye","tag-impacts","tag-managers","tag-password","tag-passwords","tag-single","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/posts\/164404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/comments?post=164404"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/posts\/164404\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/media\/164405"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/media?parent=164404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/categories?post=164404"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/tags?post=164404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}