Password Managers Under Attack: The Rise of Clickjacking Exploits and How to Defend Against Them

Password managers are often seen as one of the most effective defences against account takeover. They generate strong, unique passwords, store them securely, and autofill only on legitimate sites. For enterprises, they centralise identity hygiene, enforce policies, and integrate with multi-factor authentication (MFA).

Yet recent research has shown that these tools can themselves become targets. A clickjacking technique against browser extensions has been demonstrated to bypass protections in leading password managers, including Bitwarden, 1Password, and LastPass . This attack highlights a broader truth: password managers are indispensable, but they are not invulnerable.

How the Clickjacking Attack Works

The exploit leverages DOM-based clickjacking. Attackers create invisible overlays or hidden iframes that trick users into clicking on disguised buttons. Instead of approving a benign action, the user may unknowingly authorise a vault unlock, credential autofill, or sensitive data exposure .

Crucially, this attack does not break the encryption of the vault. It manipulates user interaction, exploiting trust in the extension’s interface. The risk is amplified in phishing or drive-by attack scenarios, where malicious websites are designed to trigger the autofill prompt.

Why This Matters

• Silent credential theft: Attackers can capture login details, 2FA codes, or stored card data without alerting the user.
• Broad attack surface: Almost all major password managers with browser autofill functionality are potentially susceptible.
• Exploitation path for phishing: Combines with traditional phishing to bypass what many users assume is a “safety net.”

For organisations, the concern is clear: the same tool that enforces credential hygiene can, if misused, become a conduit for compromise.

Practical Defences Against Clickjacking

To secure the benefits of password managers while mitigating this emerging risk, CyberPulse recommends:

1. Disable automatic autofill

• Configure managers so credentials are only filled after manual approval. This removes the ability for hidden elements to trigger autofill silently.

2. Enforce MFA on the vault

• Require phishing-resistant MFA (FIDO2 keys, authenticator apps) for unlocking the vault. This reduces the risk of attackers exploiting a single compromised click.

3. Restrict extension permissions

• Limit which sites and applications are permitted to interact with the password manager. Avoid “allow everywhere” settings.

4. Use trusted, managed devices

• Do not unlock or use password managers on shared or unmanaged endpoints. Pair vault access with device compliance checks.

5. Educate employees on overlay risks

• Awareness training should highlight suspicious behaviours such as phantom prompts or unexpected autofill requests.

6. Validate through adversarial testing

• Incorporate password manager abuse scenarios into penetration testing, red/purple team exercises, and continuous security validation.

CyberPulse Perspective

Password managers remain a foundational security control. They significantly reduce risk compared to weak or reused passwords. However, the recent wave of clickjacking proof-of-concepts demonstrates why no single technology is a panacea. The most effective strategy is layered: MFA, endpoint security, user education, and continuous validation.

At CyberPulse, we help clients strengthen identity and access management through a holistic approach. From vCISO advisory to managed detection and response (MDR), penetration testing, and security validation services, we ensure tools like password managers are deployed securely, monitored continuously, and integrated into a broader zero-trust strategy.

Get in touch if you’d like to learn more!