Autofill Nightmare: 40M Users Vulnerable To Popular Password Managers

Security researcher exposes clickjacking flaws in 1Password, Bitwarden, and LastPass affecting 40 million users

Aug 21, 2025

2 min read

Our editorial process is built on human expertise, ensuring that every article is reliable and trustworthy. AI helps us shape our content to be as accurate and engaging as possible.
Learn more about our commitment to integrity in our Code of Ethics.

Key Takeaways

Six major password managers expose 40 million users to clickjacking credential theft
Invisible overlays trick users into autofilling passwords through deceptive popup clicks
Disable autofill and switch to copy-paste until vendors patch these vulnerabilities

Your most trusted digital security tool just became a liability. Security researcher Marek Tóth exposed critical clickjacking vulnerabilities in six major password managers at DEF CON 33, affecting over 40 million users who rely on these tools for protection. The attacks exploit invisible UI elements to trick you into unknowingly surrendering your most sensitive credentials through sophisticated spy gadgets and techniques.

The carnage includes household names:

1Password (version 8.11.4.27)
Bitwarden (2025.7.0)
LastPass (4.146.3)
Enpass
iCloud Passwords
LogMeOnce

These platforms collectively guard millions of passwords, 2FA codes, and credit card details that now sit vulnerable to sophisticated theft.

Invisible Overlays Turn Clicks Into Credential Theft

Here’s the devious mechanics: malicious sites layer legitimate-looking popups over invisible password manager autofill buttons. When you click what appears to be a harmless “Accept Cookies” button, you’re actually triggering credential autofill that sends your login data straight to attackers. The technique works because all tested managers autofilled credentials not just for main domains but all subdomains, expanding the attack surface dramatically.

Vendor Responses Range From Swift To Sluggish

The vendor response split reveals troubling priorities. Bitwarden acknowledged the severity and released version 2025.8.0 within weeks of disclosure. Meanwhile, 1Password and LastPass initially categorized these exploits as low-risk “informative” findings—despite proof-of-concept attacks working flawlessly. Socket independently verified the vulnerabilities, adding credibility to Tóth’s research that some vendors seemed eager to downplay, echoing patterns seen in other major tech scandals.

Your Defense Strategy Starts Now

Until vendors catch up, you need immediate damage control. Consider additional security measures like understanding proxy vs vpn options for enhanced protection:

Disable autofill in your password manager’s browser extension settings
Revert to copy-paste workflows for credential entry
Set Chromium extension site access to “on click” rather than “all sites” permissions
Scrutinize any popup overlays before clicking—that innocent-looking survey might be harvesting your banking passwords

The password manager industry just learned that convenience and security exist in constant balance, similar to how Gmail scams exploit user trust. Your vigilance fills the gap until vendors remember that protecting user data means protecting every interaction layer, not just the encryption underneath.