Should I be worried about clickjacking?

Ask the Community Password Manager
, ,
1

Just saw this: DOM-based Extension Clickjacking: Your Password Manager Data at Risk | Marek Tóth Essentially, a malicious script can steal all your passwords by hiding behind a fake CAPTCHA window. Proven to work against Bitwarden amongst other password managers.

Is the development team working to combat this? In the meantime, should I turn off autofill - or is it nothing to worry about?

2 Likes
2

Thanks for linking this report — and I especially commend you for linking the original research report instead of some blog article or sensationalized “news” story. Marek Tóth (the author of this report) is a security researcher whom I respect, and I would take what he says seriously. The report is quite extensive, however, and I have only skimmed it. I would say that my initial take-aways are:

  • Yes, you should be worried about click-jacking, but no need to panic — read on:
  • A fix is already in progress; Bitwarden has just merged PR #16063, which will stop exploits based on null opacity, so this should be available in the next version (2025.7.2?). However, not all versions of the vulnerability require manipulation of opacity (see “Overlay” section). [Update: All vulnerabilities discovered by Marek Tóth have been patched as of version 20205.8.2.]
  • All versions of this exploit require the extension to be unlocked while you are interacting with some web page that is not a login page; thus, you will be protected if you follow best practices to keep your vault locked (using a short vault timeout) while it is not being actively used.
  • The risk can be mitigated by making your URI match detection method more specific than “Base Domain”. For example, if you are interacting with a compromised webpage hosted at poorly.secured.subdomain.example.com, then using “Base Domain” matching for your example.com credentials will make it possible for them to be stolen — to protect yourself, you should store the exact URL of the example.com login page only (for example, https://login.example.com), and set URI matching to “Host”, “Starts With”, or “Exact”.
  • The risk can be eliminated by not using inline autofill menus (disable “Show autofill suggestions on form fields” under Settings > Autofill). The report suggests that users should copy & paste credentials instead, but in my opinion, it would be safer to use alternative autofill methods (keyboard shortcut, opening the browser extension, or using the right-click context menu) or even drag-and-fill, since there are known vulnerabilities for credentials copied to the system clipboard. If you can’t live without inline autofill, you should be able to at least reduce your risk by enabling the option “Display suggestions when icon is selected” (this eliminates at least the 1-click exploits, since autofilling now will require 2 clicks).
  • The risk can be mitigated by keeping an eye on the Bitwarden extension icon at the top of the browser window. If there is a number displayed in a badge overlaid on the Bitwarden icon, then there is at least one set of login credentials that can be stolen by the active webpage (assuming that you have inline autofill menus enabled). Thus, if you see such a badge counter when the browser is not displaying a login form, then you are vulnerable (i.e., you need to fix the URI match detection method for any vault items that appear in the “Autofill Suggestions” section at the top of the browser extension window). Note, however, that version 2025.7.0 has a bug that sometimes prevents the badge counter from being displayed; a recently merged fix for this bug should be available in the next release [Update: Bug fixed in version 2025.9.0.].
  • The report author has proposed another mitigation (here), which involves restricting the extension’s access to the webpage (but this introduces 2 additional clicks each time that you wish to autofill).
7 Likes
3

grb, I was going to basically type the post you did so thanks for doing the work, LOL!

Additionally, some prefer the simplicity of storing their TOTP’s in Bitwarden but having them in a separate place is a much better security posture. Mine are on YubiKeys and its a simple process to handle the TOTP’s “elsewhere” from Bitwarden. Between offsite TOTP’s and using YubiKeys for every account you can the loss of a password would basically be a non-event. Of course you don’t want password loss, but unless the adversary can acquire the second factor it won’t really help them much. My .02

1 Like
4

If anybody wants to check if they are vulnerable, you can do the following:

  • In your Bitwarden vault, create a dummy login item for the website https://websecurity.dev/, with some fake username and password.
  • Go to Marek Tóth’s demo page https://websecurity.dev/password-managers/dom-based-extension-clickjacking/login/, and wait for the “We use cookies” pop-up modal to be displayed (this may take a few seconds).
  • Click on one of the buttons in the pop-up (or anywhere else in the browser window).

If the pop-up form doesn’t respond (nothing happens, no matter where you click), then you are not vulnerable to that particular version of the exploit (a 1-click version based on opacity manipulation) — you could still be vulnerable to other variants of the exploit.

Otherwise, if the pop-up closes, you will see your stolen credentials displayed. :scream:

There are additional demo pages available here:

1 Like
5

Thank you so much for the detailed and speedy reply! That makes me feel a lot better.

I’ve disabled inline autofill as per your 5th bullet point.

I must admit I’m a bit lazy and have a longer timeout on my vault locking than I really should; I’ll fix that too.

And that’s a good point about the number on the extension icon too: a quick flick through open tabs reveals about half show 1 or more, and several show at least 3. So there’s some work to do to limit this to login pages: again I’m probably quite lazy about this and use the default ‘base domain’ matching.

Thanks again!

1 Like
6

EDIT: Staff notice above has been updated.

1 Like
7

@dwbit Thanks for the update.

My understanding is that the patch (PR #16063) only addresses exploits based on opacity manipulation (i.e., transparent form elements), but that users who enable inline autofill menus may still be vulnerable to click-jacking using “Overlay” techniques.

Could you please ask one of the devs (@jprusik?) to comment on this?

1 Like
8

While it is great that this has been fixed (partially at least), can you explain a little bit why it took this long to fix – according to the report bitwarden knew of those issues since April. Also what decision led to the “low severity” rating on hackerone?

Also when you say:

The risk can be mitigated by making your URI match detection method more specific than “Base Domain”.

This is only true for passwords, since card & identity data is not linked to URLs right?

9

@apollo13 Welcome to the forum! Your comment seems to be addressed (at least in part) to me, so I should clarify that I do not work for Bitwarden; although I volunteer as a forum moderator, I am just a Bitwarden customer, like you.

This would be an accurate observation. However, you should be able to eliminate the risk to credit card and identity data by disabling the options “Display cards as suggestions” and “Display identities as suggestions”, respectively (under Settings > Autofill > Show Autofill Suggestions on Form Fields).

The bullet point about the extension icon badge counter in my previous comment obviously also applies only to login items, but all other bullet points in my comment should apply equally to credit card and identity items.

1 Like
10

Thank you for the clarification @grb, in addition to your previous comment I think it would be also worth to point out that:

  • The vulnerability is way more likely to be exploited for credit/identity card data than for logins since the credit card data can be filled on every website.
  • Extracting login data requires pre-existing vulnerabilities on the target domain (or subdomains) – how likely that is strongly depends on the domain. The worst case obviously being domains that allow you to host usercontent on a subdomain since you don’t even need a vulnerability.
  • While it should be clear, the exploit can only extract logins that match the domain in question (unless you run into something like shown in the example of DOM-based Extension Clickjacking: Your Password Manager Data at Risk | Marek Tóth ).
  • The recommendation to copy&paste passwords comes with it’s own set of problems: It is now up to you to verify that you are entering your credentials on the correct page which can be hard sometimes (IDN…, but you can configure your browser to show the punycode ;))
1 Like
11

Thanks for the additional advice, which is on point.

I did address this in the 5th bulletpoint of my original comment, suggesting some mitigations that are superior to copy & paste:

 

You can test your vulnerability to credit card theft using this demo webpage:

12

Is there a way to remove the “autologin” on a enterprise level via the admin console for all users?

13

@sebastiangriffindiav Welcome to the forum!

The available enterprise policies are documented here. It’s unclear what you are referring to when you say “autologin”.

14

I believe @sebastiangriffindiav is asking if we have the ability to disable the autofill feature for users via the admin console.

As it stands now, users can manually enable this option. I’d like the ability to make it unavailable for all users from a single control center.

15

You should post a feature request.

20

This is interesting because according to https://www.techspot.com/news/109149-lastpass-1password,-bitwarden-extensions-vulnerable-clickjacking-attacks.html this was resolved in 2025.8.0.

Two comments:

  1. If this is so why no mention at all in the release notes. It is a big issue to leave under “bug fixes”
  2. If it is not fixed why have you said it has?

People need visibility of security issues to evaluate their security posture not silence. Can you point me towards an article from Bitwarden discussing this? Seems like an urgent out of band fix should be made.

22

As already said, the fix was in 2025.8.1, with the description:

Do not render the inline autofill menu if the page has an open popover window

This changelog description is both helpful and not helpful:

  • There is a surprising detail of what the fix strategy was
  • I wouldn’t know, unless I know beforehand, that this is a security fix, important or not, critical or not.

@dwbit

So it would be nice if “security” fixes were communicated more clearly, even in the changelog (where people might be evaluating builds).

1 Like
23

Yes, ”Autofill”

Feature request created!

Enterprise Policy to Disable Autofill for Users - Feature Requests / Password Manager - Bitwarden Community Forums

1 Like
24

Hi everyone,

I am the author of security research.

Bitwarden: latest version (2025.8.1) still vulnerable :warning:
Demo sites: https://websecurity.dev/password-managers/dom-based-extension-clickjacking/

For version status, I recommend following my X account: @marektoth

Bitwarden publishes ‘fix version’ information without my prior testing

1 Like
25

Hi @marektoth, please continue to submit security issues and any updates to our security team through HackerOne or by reaching out to security@bitwarden.com so they can be reviewed by the correct people.