{"id":100449,"date":"2025-08-21T23:02:09","date_gmt":"2025-08-21T23:02:09","guid":{"rendered":"https:\/\/www.newsbeep.com\/us\/100449\/"},"modified":"2025-08-21T23:02:09","modified_gmt":"2025-08-21T23:02:09","slug":"major-flaw-in-top-password-managers-lets-hackers-steal-your-login-details-2fa-codes-credit-card-info-and-more","status":"publish","type":"post","link":"https:\/\/www.newsbeep.com\/us\/100449\/","title":{"rendered":"Major flaw in top password managers lets hackers steal your login details, 2FA codes, credit card info and more"},"content":{"rendered":"

Several of the best password managers<\/a> have been found to be vulnerable to a flaw that lets hackers pull off clickjacking attacks<\/a>. Researcher Marek T\u00f3th recently demonstrated how the bug allows attackers to overlay invisible HTML elements over an interface so that users think they\u2019re clicking on a standard popup but instead, they’re actually unknowingly leaking sensitive information like account credentials, 2FA codes or credit card details.<\/p>\n

Bleeping Computer<\/a> reported on T\u00f3th\u2019s findings<\/a>, which the researcher showed off during the August DEF CON 33 conference. A threat actor can exploit this flaw when a victim visits a malicious website<\/a> vulnerable to cross-site scripting<\/a> or cache poisoning, which is where the invisible overlay occurs. The hacker only needs to create a fake site and ensure that it contains an intrusive pop-up like a log-in screen or consent banner. This pop-up contains the overlay with an invisible login form, which means once the victim clicks on the site to close the popup, their password manager will autofill their credential or other sensitive info into the malicious site which then sends it back to a remote server. <\/p>\n

T\u00f3th showed multiple ways the flaw could be exploited using different variants, including direct DOM (document object model) element opacity manipulation, root element opacity manipulation, parents element opacity manipulation or partial or full overlaying. He also demonstrated a method where the UI follows the mouse cursor so any click, regardless of position on the page, would trigger data autofill. To make matters worse, T\u00f3th explained that a universal attack script could be used to identify which password manager is active on the victim\u2019s browser, so the attack could be adapted in real-time.<\/p>\n

<\/p>\n

T\u00f3th\u2019s findings were verified by the cybersecurity company Socket, who also helped to inform the vendors impacted by the vulnerability as well as coordinate public disclosure and filing of CVEs. The password managers that were tested include 1Password<\/a>, Bitwarden<\/a>, Enpass<\/a>, Apple Passwords<\/a>, LastPass<\/a> and LogMeOnce.<\/p>\n

All of which have browser-based variants of their password managers that would leak sensitive information under certain scenarios. In total, 11 password managers were tested and all were found to be vulnerable to at least one attack method. T\u00f3th notified all the vendors of the issue in April 2025 before publicly disclosing his findings at DEF CON 33.<\/p>\n

You may like<\/p>\n

Many of the various password manager companies have indicated that they are working on resolving the issue or have issued fixes. Recommendations for users include making sure that you’re running up-to-date versions of your password manager, and T\u00f3th says that until fixes become available, you should disable the autofill function in your password managers and only use copy\/paste. He adds: \u201cFor Chromium-based browser users, it is recommended to configure site access to \u2018on click\u2019 extension settings; this allows users to manually control autofill functionality.\u201d<\/p>\n

Follow Tom’s Guide on Google News<\/a> to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.<\/p>\n

More from Tom’s GuideSORT BYMonthly cost (low to high)Monthly cost (high to low)Product Name (A to Z)Product Name (Z to A)\"Arrow\"<\/p>\n

Get instant access to breaking news, the hottest reviews, great deals and helpful tips.<\/p>\n","protected":false},"excerpt":{"rendered":"Several of the best password managers have been found to be vulnerable to a flaw that lets hackers…\n","protected":false},"author":2,"featured_media":100450,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[46],"tags":[191,74],"class_list":{"0":"post-100449","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-computing","8":"tag-computing","9":"tag-technology"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/posts\/100449","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/comments?post=100449"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/posts\/100449\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/media\/100450"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/media?parent=100449"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/categories?post=100449"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/tags?post=100449"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}