Bitwarden, a widely used password manager with millions of users, was found vulnerable to unpatched clickjacking flaws that allow attackers to steal account credentials, 2FA codes, and credit card details via malicious websites or XSS-compromised pages. The exploit manipulates UI opacity and overlays to trick users into triggering autofill actions, leaking sensitive data without their knowledge. While Bitwarden acknowledged the issue, they initially downplayed its severity before releasing a partial fix in version 2025.8.0. However, earlier versions (e.g., 2025.7.0) remained exposed, putting users at risk of credential theft, financial fraud, and identity compromise. The flaw was publicly disclosed at DEF CON 33, increasing the likelihood of exploitation by threat actors. Users were advised to disable autofill or update immediately to mitigate risks, though residual vulnerabilities may persist in certain attack scenarios.
TPRM report: https://www.rankiteo.com/company/bitwarden1
"id": "bit539083025",
"linkid": "bitwarden1",
"type": "Vulnerability",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Unknown (Part of ~40M Total)',
'industry': 'Cybersecurity',
'location': 'Global',
'name': '1Password',
'size': 'Millions of Users',
'type': 'Password Manager'},
{'customers_affected': 'Unknown (Part of ~40M Total)',
'industry': 'Cybersecurity',
'location': 'Global',
'name': 'Bitwarden',
'size': 'Millions of Users',
'type': 'Password Manager'},
{'customers_affected': 'Unknown (Part of ~40M Total)',
'industry': 'Cybersecurity',
'location': 'Global',
'name': 'Enpass',
'size': 'Millions of Users',
'type': 'Password Manager'},
{'customers_affected': 'Unknown (Part of ~40M Total)',
'industry': 'Technology',
'location': 'Global',
'name': 'Apple (iCloud Passwords)',
'size': 'Millions of Users',
'type': 'Password Manager'},
{'customers_affected': 'Unknown (Part of ~40M Total)',
'industry': 'Cybersecurity',
'location': 'Global',
'name': 'LastPass (GoTo)',
'size': 'Millions of Users',
'type': 'Password Manager'},
{'customers_affected': 'Unknown (Part of ~40M Total)',
'industry': 'Cybersecurity',
'location': 'Global',
'name': 'LogMeOnce',
'size': 'Millions of Users',
'type': 'Password Manager'}],
'attack_vector': ['Malicious Website',
'Cross-Site Scripting (XSS)',
'Cache Poisoning',
'DOM-Based Manipulation (Opacity/Overlay/Pointer-Event '
'Tricks)',
'UI Cursor-Following Technique'],
'customer_advisories': ['Disable autofill functionality.',
'Update password manager extensions immediately.',
'Beware of phishing/suspicious websites exploiting '
'this vulnerability.'],
'data_breach': {'data_exfiltration': 'Potential (Via Autofill Leakage)',
'personally_identifiable_information': ['Usernames',
'Passwords',
'Credit Card Numbers'],
'sensitivity_of_data': 'High (PII, Financial Data, '
'Authentication Credentials)',
'type_of_data_compromised': ['Account Credentials',
'2FA Codes',
'Credit Card Details']},
'date_detected': '2025-04-01',
'date_publicly_disclosed': '2025-08-01',
'description': 'Six major password managers with tens of millions of users '
'are currently vulnerable to unpatched clickjacking flaws that '
'could allow attackers to steal account credentials, 2FA '
'codes, and credit card details. Threat actors exploit these '
'flaws by overlaying invisible HTML elements on malicious or '
'compromised websites, tricking users into triggering autofill '
'actions that leak sensitive information. The vulnerabilities '
'were disclosed by independent researcher Marek Tóth at DEF '
'CON 33 and verified by cybersecurity firm Socket. Affected '
'vendors include 1Password, Bitwarden, Enpass, iCloud '
'Passwords, LastPass, and LogMeOnce, with some having released '
'partial fixes or downplayed the severity.',
'impact': {'brand_reputation_impact': ['Potential Erosion of Trust in '
'Password Manager Security',
'Negative Media Coverage'],
'data_compromised': ['Account Credentials',
'2FA Codes',
'Credit Card Details'],
'identity_theft_risk': 'High (Due to Credential and PII Exposure)',
'payment_information_risk': 'High (Credit Card Details at Risk)',
'systems_affected': ['Browser Extensions of Password Managers']},
'initial_access_broker': {'data_sold_on_dark_web': 'Potential (If Exploited '
'at Scale)',
'entry_point': ['Malicious/XSS-Compromised Websites',
'Cache-Poisoned Pages'],
'high_value_targets': ['Password Manager Users',
'Financial Data',
'Authentication '
'Credentials']},
'investigation_status': 'Ongoing (Partial Fixes Released; Full Remediation '
'Pending)',
'lessons_learned': ['Clickjacking remains a persistent web security risk, '
'especially for browser extensions.',
'Balancing user convenience (autofill) with security '
'requires proactive mitigation strategies.',
'Vendor transparency and timely patching are critical to '
'user trust.',
'Users must be educated on disabling risky features '
'(e.g., autofill) when vulnerabilities are disclosed.'],
'motivation': ['Research/Disclosure',
'Financial Gain (Credential Theft)',
'Fraud (Credit Card Theft)',
'Account Takeover'],
'post_incident_analysis': {'corrective_actions': ['Vendor patches (e.g., '
'Bitwarden 2025.8.0, '
'LogMeOnce 7.12.5).',
'Enhanced user confirmation '
'prompts (1Password’s '
'upcoming release).',
'Public awareness campaigns '
'to mitigate exploitation.'],
'root_causes': ['Insufficient clickjacking '
'protections in browser '
'extensions.',
'Over-reliance on autofill '
'convenience without adequate user '
'confirmation.',
'Lack of universal browser-level '
'mitigations for DOM-based UI '
'manipulation.']},
'recommendations': ['Users should disable autofill in password managers until '
'patches are applied.',
'Use copy/paste for credentials instead of autofill where '
'possible.',
'Update password manager extensions to the latest '
'versions (e.g., Bitwarden 2025.8.0, LogMeOnce 7.12.5+).',
'Vendors should implement additional confirmation prompts '
'for autofill actions (e.g., 1Password’s upcoming '
'feature).',
'Avoid interacting with suspicious overlays or pop-ups on '
'websites.',
'Monitor dark web for exposed credentials linked to these '
'vulnerabilities.'],
'references': [{'date_accessed': '2025-08-23',
'source': 'BleepingComputer',
'url': 'https://www.bleepingcomputer.com/news/security/six-major-password-managers-vulnerable-to-clickjacking-attacks/'},
{'date_accessed': '2025-08-01',
'source': 'DEF CON 33 Presentation (Marek Tóth)'},
{'date_accessed': '2025-08-20',
'source': 'Socket Security Advisory'}],
'response': {'communication_strategy': ['Public Statements by Vendors (e.g., '
'1Password, LastPass)',
'Media Updates via BleepingComputer'],
'containment_measures': ['Disabling Autofill (User '
'Recommendation)',
'Partial Fixes by Some Vendors (e.g., '
'Bitwarden 2025.8.0)'],
'incident_response_plan_activated': ['Vendor Notifications '
'(April 2025)',
'Public Disclosure '
'Coordination (DEF CON 33)',
'CVE Filing by Socket'],
'remediation_measures': ['Vendor Patches (Ongoing)',
'User Awareness Campaigns (e.g., '
'LastPass TIME Team Advisory)'],
'third_party_assistance': ['Socket (Verification and '
'Coordination)',
'DEF CON 33 (Disclosure Platform)']},
'stakeholder_advisories': ['LastPass TIME Team Statement (2025-08-20)',
'1Password CISO Statement (2025-08-21)',
'LogMeOnce Update Notification (2025-08-23)'],
'threat_actor': ['Independent Researchers (Marek Tóth)',
'Potential Cybercriminals Exploiting Public Disclosure'],
'title': 'Unpatched Clickjacking Flaws in Major Password Managers Expose User '
'Credentials, 2FA Codes, and Credit Card Details',
'type': ['Vulnerability Disclosure', 'Clickjacking Attack', 'Data Leakage'],
'vulnerability_exploited': ['Clickjacking (CWE-1021)',
'Autofill Functionality Abuse',
'DOM-Based UI Manipulation']}