Bitwarden has put out a highly recommended emergency update of its password manager in response to newly discovered critical clickjacking vulnerabilities that jeopardized the security of all users. Today’s release, 2025.8.0, responds to some of those chilling discoveries, made by Marek Tóth. He’s an independent security researcher who recently aired these concerns at the DEF CON 33 security conference. His research mostly targeted DOM-based extension clickjacking techniques, which are able to target a few other popular password managers as well.
These flaws found impact 11 widely used password manager browser extensions which, when combined, protect millions of users. To its credit, Bitwarden has recently implemented a serious update to mitigate these dangers. Meanwhile, other vendors such as 1Password, Apple iCloud Passwords, Enpass, LastPass and LogMeOnce have yet to roll out fixes for these vulnerabilities. Security researchers and experts are warning all users of these impacted services to stay on high alert.
Understanding the Vulnerabilities
Marek Tóth’s research uncovered a serious vulnerability in the way that password managers operate on webpages. The attack uses a Node.js-based exploit. This script hides UI elements, which browser extensions have injected into the DOM. This creates new opportunities for attackers to exploit these vulnerabilities, and in the worst case, steal sensitive user information.
“A single click anywhere on an attacker-controlled website could allow attackers to steal users’ data (credit card details, personal data, login credentials, including TOTP),” – Marek Tóth
Tóth observed that most password managers auto-filled credentials for all domains as well, not just the “primary” domain but EVERY subdomain as well. These user platforms comprise a wide range of online communities, increasing the likelihood that individuals may fall victim to theft of their personal data.
Responses from Password Manager Vendors
The following password managers have yet to release fixes:
- 1Password (version 8.11.4.27)
- Apple iCloud Passwords (version 3.1.25)
- Bitwarden (version 2025.7.0)
- Enpass (version 6.11.6)
- LastPass (version 4.146.3)
- LogMeOnce (version 7.12.4)
Many vendors, such as 1Password and LastPass, have acknowledged the weaknesses. In doing so, they have mischaracterized them as merely informative rather than prescriptive. In comparison, Bitwarden, Enpass, and iCloud Passwords are all currently working on providing the required protections.
Recommended Actions for Users
Given these vulnerabilities, security experts urge users to take steps now to protect themselves. See Marek Tóth’s advice for users of Chromium-based browsers on how to change your site access settings. He encouraged them to default extension preferences for ‘on click’ to reduce exposure to possible attacks.
“For Chromium-based browser users, it is recommended to configure site access to ‘on click’ in extension settings,” – Marek Tóth
This proactive measure can help limit exposure to malicious scripts and safeguard sensitive information until comprehensive fixes are in place.