DOM-Based Clickjacking Vulnerability Threatens Popular Password Managers, Exposing Users to Credential and Data Theft

AUGUST 20, 2025
Vulnerability / Browser Security

Recent findings reveal that widely used password manager browser extensions are vulnerable to DOM-based clickjacking attacks, which can compromise users’ account credentials, two-factor authentication (2FA) codes, and credit card information under specific conditions. Independent security researcher Marek Tóth highlighted this risk during his presentation at DEF CON 33 earlier this month. “With just a single click on an attacker-controlled site, users’ sensitive data—including credit card details, personal information, and login credentials (including TOTP)—can be stolen,” Tóth explained. This new technique is versatile and could potentially target other extension types as well. Clickjacking, also known as UI redressing, involves manipulating users into executing seemingly benign actions on a website, while the real intent is to hijack their information.

DOM-Based Extension Clickjacking Poses Risks to Leading Password Managers

On August 20, 2025, new findings emerged highlighting a significant security vulnerability affecting popular password management extensions for web browsers. These vulnerabilities, known as DOM-based extension clickjacking, could potentially facilitate the theft of sensitive user information, including account credentials, two-factor authentication (2FA) codes, and credit card details.

The technique was unveiled by security researcher Marek Tóth during his presentation at the DEF CON 33 security conference earlier this month. Tóth articulated the gravity of the situation, stating that a single click on a maliciously controlled website could grant attackers access to a user’s sensitive data. “The implications of this technique are extensive and not limited to just password managers; it can be applied to various other extension types,” Tóth noted.

Clickjacking, often referred to as UI redressing, involves deceiving users into executing actions on a website that seem benign, such as clicking buttons, which could ultimately compromise their data. This emerging threat underscores a growing concern among business owners and cybersecurity professionals alike regarding the robustness of browser extensions that are generally trusted for secure data management.

The targeted entities primarily include users of widely adopted password manager tools, many of which are utilized to enhance security through encrypted storage of passwords and other credentials. These extensions are commonly employed by individuals and organizations in the United States, relying on their convenience and perceived safety.

In terms of attack methodology, the MITRE ATT&CK framework offers a valuable lens for understanding the tactics and techniques involved in these vulnerabilities. Initial access may be gained through user interaction with a malicious web page, potentially leading to a persistence mechanism where attackers maintain control over the compromised information. Furthermore, privilege escalation techniques could allow attackers to access more sensitive data that users believe is adequately protected.

As organizations increasingly rely on digital tools for managing sensitive information, the implications of such vulnerabilities are far-reaching. The findings raise critical questions about the need for tighter security measures and oversight in the development and deployment of browser extensions that interface with personal data.

In light of these revelations, business owners are encouraged to stay vigilant and proactive in assessing the security of the tools they employ for data management. Regular updates, user education on safe browsing practices, and an understanding of potential vulnerabilities can significantly mitigate risks associated with these emerging threats. As the cybersecurity landscape evolves, it is crucial to remain informed and prepared to adapt to new challenges that could compromise organizational integrity.

Source link

Related Posts

Scattered Spider Hacker Sentenced to 10 Years, Ordered to Repay $13M for SIM Swapping Crypto Theft

A 20-year-old member of the infamous cybercrime group Scattered Spider has received a ten-year prison sentence in the U.S. for his role in a series of high-profile hacks and cryptocurrency thefts. Noah Michael Urban, who pleaded guilty to wire fraud and aggravated identity theft in April 2025, will also face three years of supervised release and is required to pay $13 million in restitution to his victims. Urban, who used multiple aliases including Sosa and King Bob, was apprehended by U.S. authorities in Florida in January 2024, following crimes committed between August 2022 and March 2023 that resulted in the theft of over $800,000. In a statement to security journalist Brian Krebs, Urban decried the sentence as unjust.

Title: The Rise of Weak Passwords and Account Breaches: Insights from the 2025 Blue Report

August 21, 2025
Password Security / Identity Protection

Security professionals often focus on countering advanced adversary techniques, yet many impactful attacks stem from compromised credentials. The latest Picus Security’s Blue Report 2025 reveals that organizations still struggle to prevent password cracking and detect the misuse of compromised accounts. As we reach the midpoint of 2025, it’s evident that compromised accounts remain a significant vulnerability, emphasizing the urgent need for a proactive stance against these threats.

A Wake-Up Call: The Alarming Increase in Successful Password Cracking

The Picus Blue Report offers an annual analysis of how effectively organizations are preventing and detecting genuine cyber threats, going beyond traditional measures to highlight critical areas for improvement.

Cybercriminals Utilize ClickFix Tactic and Fake CAPTCHA Pages to Distribute CORNFLAKE.V3 Backdoor

August 21, 2025
Malware / Cryptocurrency

Threat actors have been observed employing the ClickFix social engineering tactic to disseminate a versatile backdoor known as CORNFLAKE.V3. Google-owned Mandiant reported this activity, identified as UNC5518, as part of an access-as-a-service scheme that utilizes fake CAPTCHA pages to entice users into granting initial system access, which is subsequently monetized by other threat groups. “The initial infection method, referred to as ClickFix, involves tricking users on compromised websites into copying and executing a malicious PowerShell script through the Windows Run dialog,” Google detailed in a report released today. Access provided by UNC5518 is believed to be exploited by at least two distinct hacking groups, UNC5774 and UNC4108, to launch a multi-stage infection process and introduce additional payloads. UNC5774, another financially motivated group, employs CORNFLAKE to deploy various subsequent payloads. UNC4108, also a threat actor…

Remote Code Execution Risks Discovered in Commvault: Pre-Auth Exploit Chains Identified

August 21, 2025
Category: Vulnerability / Software Security

Commvault has issued updates to address four critical security vulnerabilities that could enable remote code execution on affected instances. The identified vulnerabilities arise in Commvault versions prior to 11.36.60, detailed as follows:

  • CVE-2025-57788 (CVSS score: 6.9): This vulnerability in a known login mechanism permits unauthenticated attackers to execute API calls without needing user credentials.

  • CVE-2025-57789 (CVSS score: 5.3): A flaw during the setup process allows remote attackers to exploit default credentials for administrative access before the first admin login.

  • CVE-2025-57790 (CVSS score: 8.7): A path traversal vulnerability enables remote attackers to gain unauthorized file system access, leading to potential remote code execution.

  • CVE-2025-57791 (CVSS score: 6.9): A vulnerability that allows attackers to inject or manipulate command-line arguments passed to internal components, resulting in further exploitation.