Picture this: you’re browsing online and see a pop-up or button that looks harmless—maybe to reject cookies or confirm you’re human. You click it, thinking nothing of it. But that single click could expose your passwords, credit card details, even your two-factor authentication codes—to someone you can’t see. This is the world of modern “clickjacking.”
What Is Clickjacking?
Clickjacking is a deceptive trick where what you think you’re clicking isn’t what you actually are. Imagine a transparent sheet laid over a webpage. You think you’re clicking a ‘Close’ or ‘Accept’ button, but in reality you’re activating something else entirely—such as granting access to your online accounts. It’s a bit like pressing a TV remote button that looks like “Volume Up” but secretly orders a pay-per-view channel.
A New Spin on an Old Tactic
Recently, cybersecurity researcher Marek Tóth revealed a new twist on this attack. Instead of using invisible frames, attackers can now tamper with the small pop-up boxes and buttons created by password manager browser extensions. By hiding these elements with code, they remain clickable but invisible—essentially digital traps.
This method, dubbed “DOM-based Extension Clickjacking”, targets almost 40 million users through tools like 1Password, LastPass, Bitwarden, and others.
What Could Be Stolen?
The findings were stark:
- Six out of nine password managers tested could expose your credit card numbers, including the CVV code.
- Eight out of ten could leak personal details such as name, address, phone number, or date of birth.
- Ten out of eleven were vulnerable to revealing login details and two-factor authentication (TOTP) codes.
- In some cases, even passkeys—the newer, password-free login method—were at risk.
All from just one click in the wrong place.
Who’s Safe and Who Isn’t?
Some companies acted quickly. Dashlane, Keeper, NordPass, ProtonPass, and RoboForm have already patched the issue. But others have not. Popular services like 1Password, Bitwarden, LastPass, iCloud Passwords, Enpass, and LogMeOnce remain exposed—leaving an estimated 32.7 million users at risk.
Why Even Trustworthy Websites Aren’t Immune
You might think this only happens on dodgy sites. Not so. Hackers can exploit flaws such as cross-site scripting (XSS) or hijack subdomains to insert malicious code—even on trusted platforms. Since password managers often fill in your details on subdomains, a weakness in just one part of a larger site could become an attacker’s entry point.
What You Can Do
1. Keep Your Password Manager Up to Date
Make sure you’ve got the latest version of your browser extension—especially if you’re using one of the vulnerable services.
2. Disable Autofill or Restrict It
If you can, switch off automatic filling of logins, or set your password manager to only fill in details on the exact website you saved them for. This makes it harder for a hidden trap to trigger the autofill.
3. Watch Out for Pop-Ups and Banners
If you see something odd—like a strange cookie notice or an unfamiliar button—pause before clicking. When in doubt, open your password manager manually rather than relying on the quick prompts on a webpage.
4. Demand Better Security
If your provider hasn’t fixed this issue yet, let them know you expect action. User pressure often speeds up patches, particularly when companies downplay problems as “low risk.”
Final Word
As more of our lives move online, the tools we depend on—like password managers—become attractive targets. This latest discovery shows attackers are constantly adapting, finding clever new ways to bypass our defences.
The good news? Awareness, careful habits, and keeping your software updated can go a long way towards protecting you.
Staying safe online isn’t just about having strong passwords anymore—it’s about being aware of what’s happening beneath the surface. Keep alert, keep updated, and keep secure.