Home > Lifestyle > Internet

Top Password Managers at Risk of DOM-Clickjacking Attack – How to Protect Yourself

By Karrar Haider
A man with a laptop on table tapping on a login screen hologram

Password managers are supposed to protect passwords and sensitive information, but they can sometimes be manipulated to reveal data to attackers. A recently reported DOM-based clickjacking technique can trick some password managers into autofilling credentials into fake forms. Here’s how the attack works and what you can do to protect yourself.

How Password Managers are Vulnerable

A Document Object Model (DOM) exploit allowed the creation of a clickjacking variant that can allow malicious actors to stealthily trigger password managers’ autofill feature to steal sensitive information, including passwords, TOTP/2FA codes, credit-card data, etc. Here’s how the attack works:

  1. The victim visits an attack-controlled page that shows a normal clickable element, like a cookie consent banner or a “close” button on a pop-up.
  2. The malicious page secretly places an invisible form at the location of the clickable object by exploiting DOM visibility (setting opacity:0).
  3. When a user clicks, their installed password manager extension automatically fills in the details the form requests, which hackers can steal.

All of this happens stealthily, and the user never finds out their credentials got stolen. The original report tested 11 of the top password managers, but it’s safe to assume it applies to most password managers that have an autofill function. After the report, several password managers issued patches to add a confirmation prompt for autofills, but some are still vulnerable.

Even then, most password manager patches are simply band-aid fixes, because it doesn’t fix the fundamental problem due to the way browsers render webpages. As 1Password pointed out, “the underlying issue lies in the way browsers render webpages, we believe there’s no comprehensive technical fix that browser extensions can deliver on their own.“.

Apart from updating your password manager extension to the latest version, follow the measures below to protect yourself from these clickjacking attacks.

Disable Autofill in Your Password Manager Extension

Autofill is the main function that this attack exploits. By default, password managers will automatically fill fields when you click on them. You can turn this behavior off to prevent exploitation. Afterward, you’ll have to click a specific button when the field is in focus to manually fill it.

Disabling autofill in 1Password

All you have to do is go to the password manager extension’s settings and disable the autofill function. The toggle should be under the Autofill and save (or similar) section that disables autofill on focus.

Set Extensions to On Click or On Specific Sites

Browsers have an option to force an extension to only activate on a specific website or when the extension icon is clicked. You can use these options to keep the password manager disabled on all websites it isn’t supposed to fill the password field on. This will require some setup or extra clicks, but it will ensure no attack can exploit your password manager.

Open your browser’s Extensions page and open the details page of your password manager. Here, you’ll find the Site access section with On all sites selected by default. You should select On click or On specific sites here, depending on your preference. With On click, the password manager will only activate when you click its toolbar icon, and with the On specific sites option, it will only work on selected websites and stay disabled on others.

Enabling On Click in Browser site permissions

Prefer Using Desktop/Mobile App Instead of Extension

These clickjacking attacks are limited to the password manager extension that autofills the information or populates when commanded. If you want to minimize risks and still want to use a password manager, then use the associated desktop/mobile app instead.

Most password manager apps will provide an easy search and copy function to make the manual entry process easier. When you are on a login page, just search and click the copy button next to its entry in the password manager app to use it.

Use a Script Blocker Extension

Most such attacks heavily depend on on-page scripts to function, which is why script blocking is considered one of the best ways to stay safe online. Simply blocking JavaScript is effective for this attack, but we recommend blocking all scripts on untrusted domains for the best protection.

NoScript extenion on maketecheasier.com

NoScript is a great extension for this purpose, which is available for both Chrome and Firefox. By default, it will block all types of active scripts, including JavaScript, embedded objects, media, etc. You can then only enable scripts on websites you trust.

Bonus: Properly Secure Accounts

The best protection against any credential-stealing attack is to use a secondary protection method that can’t be stolen easily. 2FA is your best bet, but you need a reliable 2FA method; SMS verification isn’t enough. TOTP is a good start, but make sure you have the authenticator app on a separate device. Furthermore, a passkey is better than regular 2FA, especially if you use a dedicated hardware security key.

To minimize the attack surface, try to avoid depending on automatic login solutions. It might be slightly inconvenient to do an extra click or two, but it’s worth the security. This is especially important if you are using password managers to store all sensitive information.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Karrar Haider Avatar
Karrar Haider
Karrar is always exploring new tech opportunities and finding ways to improve consumer tech. He has a habit of calling technology “Killer”, and is unapologetically dedicated to his PC. When he is not writing about technology, you’ll find him grinding for the best gear in his favorite MMO.

Read next

Intricate network of tree roots and moss on a forest hillside, showcasing nature's resilience.
Suzanne Simard sealed paper birch and Douglas fir seedlings inside plastic bags, fed them carbon-14 and carbon-13 dioxide, and nine days later found carbon had crossed between species through fungal threads in the British Columbia soil beneath her boots
Close-up of glowing jellyfish swimming gracefully in deep green ocean waters.
A species of jellyfish called Turritopsis dohrnii can revert its adult cells back to a juvenile polyp stage when injured or starving, effectively restarting its life cycle, and biologists have so far failed to identify any natural limit to how many times it can do this.
Elderly man with beard and bandana, reacting to smartphone while seated indoors.
A Japanese man named Jiroemon Kimura, who lived to 116, was born in 1897 when Queen Victoria still ruled and died in 2013, meaning a single human life personally overlapped with the invention of the airplane, the atomic bomb, the internet, and Instagram
A lively view of Hollywood Boulevard with iconic landmarks and busy street life under a clear sky.
The Hollywood sign originally read HOLLYWOODLAND when it was built in 1923 as a real estate advertisement for a housing development, and it was only meant to stand for 18 months, but nobody ever got around to taking it down and the city eventually adopted it as a landmark
Almost all of the world’s internet traffic does not travel by satellite but through fibre-optic cables lying on the ocean floor, a hidden web of wires crossing the deepest parts of the sea to connect the continents.
People who flip their phone face down on every table aren’t being secretive. They figured out that staying interruptible meant handing their time to whoever rang first
Twitch Vs Youtube Gaming Vs Facebook Gaming Featured
Twitch vs. Facebook Gaming vs. YouTube Gaming: What’s the Best Live Game Streaming Platform?
Laptop on a table with Chrome extensions page and a solid infect extension icon on display
Chrome Extensions Ownership Transfer is a Direct Threat to You: How to Stay Safe