Click Studios Addresses Authentication Bypass Vulnerability in Passwordstate’s Emergency Access Page

Published: August 29, 2025 | Category: Vulnerability / Enterprise Security

Click Studios, the developer behind Passwordstate, an enterprise password management solution, has released critical security updates to fix an authentication bypass vulnerability in its software. This high-severity issue, yet to receive a CVE identifier, has been resolved in Passwordstate version 9.9 (Build 9972), launched on August 28, 2025. The Australian company reported that the update addresses a “potential Authentication Bypass” in the Emergency Access page when exploited with a specially crafted URL. Additionally, the latest version incorporates enhanced protections against possible clickjacking attacks targeting its browser extension, particularly if users navigate to compromised sites. These enhancements likely respond to insights from security researcher Marek Tóth, who recently revealed a technique involving Document Object Model (DOM)-based extension clickjacking affecting various password manager browser add-ons.

Click Studios Addresses Critical Security Flaw in Passwordstate’s Emergency Access Feature

On August 29, 2025, Click Studios, the developer behind the enterprise-level password management tool Passwordstate, announced the release of significant security updates aimed at resolving a high-severity authentication bypass vulnerability. This flaw, which has not yet been assigned a Common Vulnerabilities and Exposures (CVE) identifier, was remedied in Passwordstate version 9.9 (Build 9972), which became available on August 28, 2025.

The vulnerability specifically involved the Emergency Access page of Passwordstate, where a malicious actor could employ a meticulously crafted URL to bypass authentication protocols. The Australian company emphasized the potential risks associated with such a bypass, as it directly threatens user data and system integrity, particularly for enterprise users who rely heavily on robust security measures for managing sensitive credentials.

In addition to addressing this critical flaw, the company has incorporated enhanced measures to protect against clickjacking attacks that could potentially target its browser extension. This update appears to be a proactive response to recent findings by security researcher Marek Tóth, who highlighted vulnerabilities in various password manager add-ons due to a technique known as Document Object Model (DOM)-based extension clickjacking. The integration of safeguards against these types of attacks heightens the security posture of Passwordstate in an increasingly precarious digital threat landscape.

While the exact details regarding the exploitation of this vulnerability remain under wraps, it is essential to consider the possible tactics and techniques that could have been utilized, as outlined in the MITRE ATT&CK Framework. The initial access could have been gained through social engineering tactics or by manipulating web elements to facilitate the attack. An attacker might have sought to achieve persistence within the system, perhaps using means like credential dumping to further escalate privileges and maintain access.

As business owners evaluate their cybersecurity strategies, it is critical to remain vigilant regarding updates and security patches from software providers. This incident serves as a stark reminder of the evolving threat landscape in cybersecurity, underscoring the necessity for organizations to maintain awareness and implement best practices around password management and overall security hygiene.

In a time when cyber threats continue to proliferate, the steps taken by Click Studios to address this vulnerability demonstrate the company’s commitment to safeguarding user data. For enterprises leveraging Passwordstate, immediate implementation of this latest update is strongly advised to mitigate potential risks associated with this vulnerability.

Source link

Related Posts

Amazon Disrupts APT29’s Watering Hole Campaign Utilizing Microsoft Device Code Authentication

On August 29, 2025, in a significant security intervention, Amazon revealed it had identified and dismantled a watering hole campaign orchestrated by the Russia-linked APT29 group. This campaign exploited compromised websites to direct users towards malicious infrastructure, tricking them into authorizing attacker-controlled devices via Microsoft’s device code authentication process. Amazon’s Chief Information Security Officer, CJ Moses, provided insights into the threat. APT29, also known by aliases such as BlueBravo, Cozy Bear, and Midnight Blizzard, is a state-sponsored hacking group linked to Russia’s Foreign Intelligence Service (SVR). Recently, the group has been associated with attacks employing malicious Remote Desktop Protocol (RDP) configurations to target Ukrainian entities and extract sensitive information. As the year progresses, the adversary’s extensive targeting strategies continue to raise concerns.

Webinar: Harmonize Dev, Sec, and Ops Teams with a Unified Playbook

Date: August 29, 2025
Topic: Cloud Security / Generative AI

Imagine this: your team deploys new code, confident everything is perfect. But hidden within is a minor flaw that spirals into a major crisis once it reaches the cloud. Suddenly, hackers infiltrate your system, resulting in costly damages that can amount to millions. Frightening, right? In 2025, the average data breach will set businesses back around $4.44 million globally. A significant portion of these issues arises from app security oversights, such as web attacks that compromise credentials and cause chaos.

If you’re part of the dev, ops, or security teams, you’ve likely experienced this stress—constant alerts, disputes over accountability, and slow fixes. But it doesn’t have to be this way. What if you could detect risks early, from the moment code is written to its operation in the cloud? That’s the power of code-to-cloud visibility, transforming how proactive teams manage app security.

Join our upcoming webinar, “Code-to-Cloud…

Malicious Actors Exploit Velociraptor Forensic Tool to Launch Visual Studio Code for C2 Tunneling

Cybersecurity experts have highlighted a recent cyber attack involving the misuse of Velociraptor, an open-source endpoint monitoring and digital forensic tool. This incident showcases the ongoing trend of leveraging legitimate software for nefarious purposes. According to a report from the Sophos Counter Threat Unit Research Team, the attackers employed Velociraptor to download and execute Visual Studio Code, likely aimed at establishing a tunnel to a command-and-control (C2) server they controlled. While the use of legitimate remote monitoring and management (RMM) tools is not new in cyber threats, the adoption of Velociraptor represents a significant shift, allowing attackers to gain a foothold without deploying their own malware. Further investigation into the attack has revealed that the perpetrators exploited Wind…

Rethinking Browser Security: Addressing the Threats Posed by Scattered Spider

As businesses increasingly rely on browser-based operations, security teams are confronted with escalating cyber threats. Today, over 80% of security incidents stem from web applications accessed through browsers like Chrome, Edge, and Firefox. A particularly agile adversary known as Scattered Spider (also identified as UNC3944, Octo Tempest, or Muddled Libra) has emerged, targeting sensitive data within these browsers. Unlike infamous cybercriminal groups such as Lazarus Group, Fancy Bear, and REvil, Scattered Spider has honed its methods over the past two years, focusing on the human element and browser environments. If critical information—like your calendar, login credentials, or security tokens—resides in your browser tabs, Scattered Spider is poised to seize it. This article will delve into the attack techniques employed by Scattered Spider and outline strategies to defend against them.