Password Managers Under Attack: The Rise of Clickjacking Exploits and How to Defend Against Them

Password managers are often seen as one of the most effective defences against account takeover. They generate strong, unique passwords, store them securely, and autofill only on legitimate sites. For enterprises, they centralise identity hygiene, enforce policies, and integrate with multi-factor authentication (MFA).

Yet recent research has shown that these tools can themselves become targets. A clickjacking technique against browser extensions has been demonstrated to bypass protections in leading password managers, including Bitwarden, 1Password, and LastPass . This attack highlights a broader truth: password managers are indispensable, but they are not invulnerable.

How the Clickjacking Attack Works

The exploit leverages DOM-based clickjacking. Attackers create invisible overlays or hidden iframes that trick users into clicking on disguised buttons. Instead of approving a benign action, the user may unknowingly authorise a vault unlock, credential autofill, or sensitive data exposure .

Crucially, this attack does not break the encryption of the vault. It manipulates user interaction, exploiting trust in the extension’s interface. The risk is amplified in phishing or drive-by attack scenarios, where malicious websites are designed to trigger the autofill prompt.

Why This Matters

• Silent credential theft: Attackers can capture login details, 2FA codes, or stored card data without alerting the user.
• Broad attack surface: Almost all major password managers with browser autofill functionality are potentially susceptible.
• Exploitation path for phishing: Combines with traditional phishing to bypass what many users assume is a “safety net.”

For organisations, the concern is clear: the same tool that enforces credential hygiene can, if misused, become a conduit for compromise.

Practical Defences Against Clickjacking

To secure the benefits of password managers while mitigating this emerging risk, CyberPulse recommends:

1. Disable automatic autofill

• Configure managers so credentials are only filled after manual approval. This removes the ability for hidden elements to trigger autofill silently.

2. Enforce MFA on the vault

• Require phishing-resistant MFA (FIDO2 keys, authenticator apps) for unlocking the vault. This reduces the risk of attackers exploiting a single compromised click.

3. Restrict extension permissions

• Limit which sites and applications are permitted to interact with the password manager. Avoid “allow everywhere” settings.

4. Use trusted, managed devices

• Do not unlock or use password managers on shared or unmanaged endpoints. Pair vault access with device compliance checks.

5. Educate employees on overlay risks

• Awareness training should highlight suspicious behaviours such as phantom prompts or unexpected autofill requests.

6. Validate through adversarial testing

• Incorporate password manager abuse scenarios into penetration testing, red/purple team exercises, and continuous security validation.

CyberPulse Perspective

Password managers remain a foundational security control. They significantly reduce risk compared to weak or reused passwords. However, the recent wave of clickjacking proof-of-concepts demonstrates why no single technology is a panacea. The most effective strategy is layered: MFA, endpoint security, user education, and continuous validation.

At CyberPulse, we help clients strengthen identity and access management through a holistic approach. From vCISO advisory to managed detection and response (MDR), penetration testing, and security validation services, we ensure tools like password managers are deployed securely, monitored continuously, and integrated into a broader zero-trust strategy.

About CyberPulse

CyberPulse is a security-first compliance partner helping organisations reduce cyber risk, build resilience and achieve certification with confidence. Founded by former CISOs and security leaders, we align technical depth with real-world context to deliver measurable outcomes across advisory, managed services, compliance and threat defence.

Let’s Talk

Follow us on LinkedIn for practical insights, or contact us to speak with a CyberPulse expert.

Useful Links

• NIST Changes Approach To Passwords
• Password Security for Australian Organisations: Building a Resilient Credential Strategy
• How to Choose a SOC 2 Auditor in Australia: A Practical Comparison Framework
• Continuous penetration testing: close the gap between compliance and real security
• Exposure Management

Related Services

• Managed Detection & Response
• Incident Response Services
• Managed Cybersecurity
• vCISO Services

External Resources

• ASD Pass Phrases