IT and security experts have long recommended using password managers to keep your login data safe and in one place. They’re generally considered reliable and secure, but a common vulnerability has now been discovered in 11 providers that hackers can exploit. (See our own recommendations for the most trustworthy password managers.)
This vulnerability was discovered by security researchers from The Hacker News. The following password managers have affected browser extensions that are based on DOM (Document Object Model):
- 1Password
- Bitwarden
- Dashlane
- Enpass
- iCloud Passwords
- Keeper
- LastPass
- LogMeOnce
- NordPass
- ProtonPass
- RoboForm
This list includes some of the best-known and most widely used password managers, affecting an estimated 40 million users worldwide. Extreme caution is therefore advised. The security flaw hasn’t yet been patched by most of these providers, so data theft can still occur as of this writing.
How hackers get your passwords
The vulnerability in question is known as clickjacking. Attackers can lure unsuspecting users to fake websites that imitate real websites and look deceptively real, except the fakes ones contain invisible elements.
In some cases, users can inadvertently switch on their password manager with a single false click, which then tries to enter access data automatically. Hackers monitor these attempted entries and interfere, gaining access to the password manager and taking over saved passwords. The attack usually goes unnoticed as users simply close the affected page and receive no warning that someone has gained access to their password manager.
So why do these password managers now run the risk of becoming a gateway for attacks using this method? It’s due to the DOM, which contains a vulnerability that allows for this kind of attack.
Incidentally, not only passwords but also other types of sensitive data can be intercepted in this way, including stored credit card details, names, addresses, telephone numbers, and more, which could then be used for phishing attacks.
Although the vulnerability was reported to affected providers back in April 2025, just under half of them have responded to the warning. Bitwarden has provided a new version of its plugin that addresses the problem.
How to protect yourself
There’s no one-size-fits-all solution to protect yourself from clickjacking. As always, it’s important that you never click on unknown or unexpected links, even if they lead to supposedly legitimate websites. It’s always safest to manually open up a new tab in your browser and directly navigate to the site, or use your own trusted bookmarks for quick access.
If you use a Chromium-based browser (which is most browsers these days) and a password manager, it’s recommended that you switch your password manager’s auto-fill settings to “on-click.” This is an important step that helps prevent passwords from being entered or completed automatically without you first confirming intent.
Alternatively, you might want to deactivate the automatic completion of email addresses (and other data) in the browser settings under the “Autofill and passwords” section.
This article originally appeared on our sister publication PC-WELT and was translated and localized from German.
