VU#516608: Multiple Password Managers Vulnerable to Clickjacking Attacks
Browser-extension password managers are vulnerable to clickjacking attacks that exploit the trust between web pages and extension elements. Novel DOM-based clickjacking methods can bypass traditional defenses by manipulating injected user interface elements. Attackers can make these elements invisible, tricking users into interacting with password manager functions. This allows for the unintentional autofilling of credentials, leading to account compromise. The tension between usability and security is highlighted as password managers inject editable elements. Mitigation requires a collaborative effort from web developers, password manager vendors, and users. Users should install vendor updates promptly to address these evolving threats. Disabling or limiting autofill functionality can reduce exposure to clickjacking. It is important to understand that even trusted websites can be compromised, making vigilance crucial.