This post is also available in:
עברית (Hebrew)
A newly disclosed vulnerability affecting several widely used password managers has raised significant concerns about the security of autofill features. The flaw enables attackers to extract login credentials and credit card details from users with minimal interaction—often requiring nothing more than a single click.
During a recent security conference, researcher Marek Toth revealed how password manager browser extensions can be exploited through clickjacking and other manipulation techniques. The vulnerability affects popular services including 1Password, Bitwarden, LastPass, Dashlane, NordPass, and others. In many cases, the issue remains unpatched.
The root of the problem lies in how password managers handle autofill functionality. Browser extensions are designed to automatically populate login forms with saved credentials. However, they often do so without adequately verifying the legitimacy of the surrounding webpage or form elements. Attackers can exploit this by embedding invisible frames or using overlays that mimic legitimate elements—such as cookie consent banners or CAPTCHAs—to trigger autofill actions.
Once triggered, these forms quietly capture and transmit sensitive information to remote servers, without the user ever realizing a breach has occurred. In one example, a hidden iframe of a known website’s login page was embedded beneath a transparent layer. When a user clicked an innocuous-looking on-page element, the password manager filled in the login credentials, which were then silently extracted.
The attacks are not limited to isolated methods. Researchers demonstrated several tactics that collectively bypass current extension safeguards. These include manipulating subdomains, using cross-site scripting (XSS), and exploiting caching behaviors to mislead autofill triggers.
Notably, at least six major password managers have yet to issue full fixes. Until updates are rolled out, users are advised to disable autofill features in their browser extensions. Instead, security experts recommend manually copying and pasting credentials into login forms to avoid unintentional data leaks.
As password managers continue to be widely used, this discovery highlights the importance of more robust verification mechanisms before sensitive data is entered into web forms. Users are encouraged to remain cautious, even on seemingly trusted websites, and to apply security updates as they become available.
