Researcher Exposes 0-Day Clickjacking Vulnerabilities in Major Password Managers

https://socket.dev/blog/password-manager-clickjacking

13•gpi•5mo ago

Comments

autoexec•5mo ago

KeePass wins again. Keep your passwords out of the cloud and out of your browser.

tzs•5mo ago

This is completely orthogonal to the cloud.

Also, do you mean the original KeePass or KeePassXC? If the latter, its browser extension is vulnerable to this.

kcrwfrd_•5mo ago

Interesting

When they say iCloud passwords, do they mean

* iCloud passwords extension in chrome?

* safari?

* iOS safari?

iOS safari in particular seems to use native OS UI separate from the web page for password form auto completion, I would think it wouldn’t be susceptible?

And what about google chrome’s built in PW manager?

rplnt•5mo ago

> I want to mention that iCloud Passwords was tested only as a browser extension (Google Chrome, Firefox, etc.) and not as a system application with Safari integration.

cpach•5mo ago

Interesting research. I haven’t read the report super-carefully but I’m not sure I would say this vulnerability is very easy to exploit.

Answer from 1Password can be found here: https://support.1password.com/kb/202508/