Major flaw in top password managers lets hackers steal login details

Several of the world’s most popular password managers have been found vulnerable to a security flaw that could allow hackers to steal sensitive data through clickjacking attacks.

The vulnerability, demonstrated by researcher Marek Tóth at the DEF CON 33 conference in Las Vegas, enables attackers to overlay invisible HTML elements over legitimate website pop-ups. Victims who believe they are interacting with a harmless login screen or consent banner may unknowingly trigger their password manager to autofill credentials, two-factor authentication codes, or payment card details into a malicious form.

“This flaw makes it possible for attackers to trick password managers into leaking data with just a few clicks,” Tóth said, warning that the technique can be adapted in real time depending on which password manager is detected on the victim’s browser.

How the attack works

According to Tóth’s demo and a report by Bleeping Computer, attackers can exploit vulnerable sites using cross-site scripting (XSS) or cache poisoning to inject invisible overlays. Variants of the attack included:

• Manipulating DOM element opacity to hide forms

• Overlaying invisible parent or root elements across the screen

• Creating dynamic overlays that follow the victim’s mouse cursor, ensuring that any click triggers the autofill exploit

The attack can be further weaponized with a universal script that identifies which password manager is active, tailoring the exploit to its autofill behavior.

Who is affected

Tóth, working with cybersecurity firm Socket, tested 11 popular password managers and found that all were vulnerable to at least one attack vector. Among those confirmed impacted were 1Password, Bitwarden, Enpass, Apple Passwords, LastPass, and LogMeOnce.

All affected vendors were notified in April 2025 ahead of the coordinated public disclosure at DEF CON. Several companies have since issued patches or committed to deploying fixes.

What should users do?

Until updates are fully rolled out, experts recommend disabling autofill features and relying on manual copy-and-paste for credentials.

Tóth also advised Chromium-based browser users to adjust extension permissions: “Configure site access to ‘on click’. This allows users to manually control autofill functionality.”

Broader implications

Password managers are widely promoted as a safer alternative to reusing passwords across accounts, but vulnerabilities like this highlight ongoing risks. With attackers increasingly targeting authentication tools, security researchers are urging users to remain vigilant and keep their software fully up to date.