
Password managers are designed to safeguard your passwords and sensitive details, but they can also be exploited, allowing attackers to access this information. A newly discovered DOM-based clickjacking method can deceive some password managers into autofilling credentials into malicious forms. Below, we delve into how this attack functions and how you can bolster your defenses.
Understanding the Vulnerability of Password Managers
Recent findings highlight a Document Object Model (DOM) exploit that facilitates a variant of clickjacking, enabling bad actors to surreptitiously trigger the autofill feature of password managers. This can lead to the theft of sensitive data, such as passwords, TOTP/2FA codes, and credit card information. The mechanics of this attack unfold as follows:
- The user lands on a web page controlled by the attacker, which presents a seemingly benign clickable element, for example, a cookie consent banner or a pop-up close button.
- Utilizing DOM visibility tricks, the attacker positions an invisible form over the legitimate clickable element by setting
opacity:0
. - Upon clicking, the user’s password manager automatically populates the hidden form with saved credentials, allowing cybercriminals to capture them.
This entire operation occurs silently, often without the user realizing that their information has been compromised. A recent study evaluated 11 leading password managers, suggesting that most with autofill capabilities are susceptible. In response to these findings, several password managers have released updates incorporating a confirmation prompt for autofills, yet many still remain at risk.
However, the majority of these patches function as temporary fixes that fail to address the underlying issue rooted in browsers’ webpage rendering processes. As highlighted by 1Password, “the core problem lies in how browsers render webpages; we believe that a thorough technical resolution cannot solely be provided by browser extensions.”
To mitigate the risks associated with clickjacking attacks, consider the following best practices, in addition to keeping your password manager extension updated.
Deactivate Autofill in Your Password Manager
Since autofill is the primary feature exploited in such attacks, turning off this functionality can significantly enhance your security. Instead of automatically filling fields, you will need to manually fill them by clicking a designated button when required.

To disable autofill, navigate to the settings of your password manager extension and locate the toggle under the Autofill and save section. Disable autofill on focus to avoid automatic entry.
Configure Extensions for On-Click or Site-Specific Access
Most browsers allow you to configure extensions to activate either exclusively on certain websites or only upon manual activation through the extension icon. By setting these parameters, you can effectively guard against unwanted autofill actions across sites meant for generic browsing.
Visit your browser’s Extensions page, then access the details of your password manager. Look for the Site access section, typically set to On all sites by default. Change this to On click or specify certain sites as per your choice. Selecting On click restricts activation to when you click its icon, while On specific sites enables it only on pre-defined websites.

Opt for Desktop or Mobile Apps Over Browser Extensions
Since clickjacking attacks focus primarily on browser extensions, leveraging the native desktop or mobile applications of your password manager can reduce your susceptibility. These applications typically provide straightforward search and copy options to streamline manual entry processes.
When accessing a login page, simply search for your credentials in the password manager app and use the copy feature for ease of entry.
Utilize a Script Blocking Extension
Many clickjacking attacks rely heavily on scripts running on the webpage, making script blockers an effective line of defense. While blocking JavaScript can thwart these attacks, we recommend a broader approach by blocking all scripts on untrusted domains for optimal safety.

NoScript is a robust extension that caters to this need, available for both Chrome and Firefox. It automatically blocks various forms of active scripts, including JavaScript, allowing you to selectively enable scripts on trusted sites.
Bonus Tip: Enhance Account Security
To guard against credential theft, implementing an additional security measure is crucial. Two-Factor Authentication (2FA) is highly recommended; however, rely on a robust 2FA method beyond just SMS verification, which is often compromised. TOTP is a good starting point, but ensure the authenticator app is located on a different device. Additionally, consider utilizing passkeys or hardware security keys for even stronger protection.
To limit potential vulnerabilities, avoid heavily relying on automatic login solutions. Although it may require additional steps, this slight inconvenience significantly boosts your security, particularly if you store extensive sensitive information in your password manager.
Leave a Reply