Your Password Manager Just Became Your Biggest Security Risk: One Click Could Steal Everything

Marek Tóth, a security researcher, just disclosed information that should terrify every password manager user. He's discovered a new attack technique that can steal your stored passwords, credit card details, 2FA codes, and personal information with nothing more than a single click on a malicious website.

The worst part is that six of the most popular password managers, used by over 40 million people, are still vulnerable, and some companies are even refusing to fix the problem.

One-Click: How It Works

This isn't a typical phishing scam. This is something far more sophisticated called "DOM-based extension clickjacking", a technique that exploits the convenience features that make password managers so appealing.

The terrifying reality: A single click anywhere on an attacker-controlled website could allow criminals to steal your data: credit card details, personal information, login credentials, including your two-factor authentication codes.

Here's how a typical attack would go:

1. Fake Website: You visit what appears to be a legitimate site with an intrusive pop-up. Example: a cookie consent banner or a "You've won a prize!" notification

   
   

2. Invisible Trap: Behind that visible pop-up, the attacker has embedded an invisible login form (opacity set to zero)

   
   

3. Fatal Click: When you click to close the annoying pop-up, you're clicking on the hidden form

   
   

4. Auto-Fill Theft: Your password manager detects the hidden form and automatically fills in your credentials, which are immediately sent to the attacker's server

Why You Can't See It Coming

What makes this attack so dangerous is that it's completely invisible to users. You think you're clicking on a harmless cookie banner or "close" button, but you're clicking on your password manager's hidden auto-fill controls.

The attack is smart enough to detect which password manager you're using and automatically adjust its approach. To you, everything looks normal; you're just browsing a website and dismissing an annoying pop-up. Behind the scenes, your most sensitive data is being stolen.

The attack gets even more dangerous when combined with Cross-Site Scripting (XSS) vulnerabilities or subdomain takeovers. All tested password managers filled credentials not only to the main domain, but also to all subdomains. This means that if an attacker finds a vulnerability on any subdomain of a legitimate site you use, they can steal your login credentials for the main site.

Who's Vulnerable: The Hall of Shame

The affected password managers include some of the biggest names in the industry:

Still Vulnerable (40+ million users):

// 1Password (8.11.4.27) - Rejected the report as "out-of-scope/informative"

// LastPass (4.146.3) - Marked the report as merely "informative"

// Apple iCloud Passwords (3.1.25)

// Enpass (6.11.6)

// LogMeOnce (7.12.4) - Never responded to researchers

Recently Fixed:

// Bitwarden (fixed in version 2025.8.0)

Already Protected:

// NordPass, Dashlane, Keeper, RoboForm, and Proton Pass have implemented protections

Response: Denial and Deflection

After responsible disclosure in April 2025, some companies are more interested in protecting their reputation than protecting their users.

1Password and LastPass have argued that defending against clickjacking is "outside their control," placing responsibility on users to avoid malicious websites. This response is particularly troubling because, as Tóth's research emphasizes, attackers can exploit even trusted domains if XSS or subdomain takeover vulnerabilities are present.

The Real-World Impact

In December 2023, Tóth demonstrated this attack against NordPass using a fake Cloudflare CAPTCHA page. With just 4 clicks, an attacker could trick users into unknowingly sharing their entire password vault with the attacker's account, gaining access to all stored passwords, credit cards, and personal data.

The research showed that:

// 10 out of 11 password managers were vulnerable to credential theft, including TOTP codes

// 8 out of 11 could have their passkey authentication exploited

// 6 out of 9 were vulnerable to credit card detail extraction

What You Can Do Right Now

Until fixes are available across all password managers, security experts recommend:

// Disable Auto-Fill: Turn off the auto-fill function and only use copy/paste for entering credentials

// Chrome Users: Configure site access to "on click" in extension settings for manual control

// Update Immediately: If you use Bitwarden, update to version 2025.8.0 or later

// Lock Your Vault: Keep your password manager locked while browsing unfamiliar websites

The Bottom Line

The irony is devastating: the tool you trust most to keep your digital life secure could be the very thing that exposes all your secrets to criminals. Unlike traditional data breaches, where you're a passive victim, these attacks require you to unknowingly participate in your own compromise.

The fact that major companies like 1Password and LastPass are dismissing these vulnerabilities as "informative" rather than addressing them urgently should concern every user. When a security researcher can demonstrate stealing credit card details with a single click, that's not an "informational" issue; it is a critical vulnerability.

If you're using any of the still-vulnerable password managers, your safest bet right now is to disable auto-fill entirely and manually copy-paste your credentials. Your password manager was supposed to be your digital bodyguard; instead, it might just be holding the door open for thieves.