Zero-Day Clickjacking Potentially Puts 40 million Users at Immediate Risk 

CYPFER Threat Flash 

What Happened: 
Clickjacking has long been written off as a solved problem. Many bug bounty programs don’t even pay out for it anymore, assuming modern defenses like X-Frame-Options, Content-Security-Policy, and cookie restrictions closed the door years ago. 

But new research, again, proves that old techniques can evolve. Clickjacking has not died, but it has evolved. Attackers are no longer targeting websites but browser extensions. Specifically, they are targeting password managers and similar tools that have become essential to everyday security. 

The newly disclosed technique, known as DOM-based Extension Clickjacking, manipulates extension UI elements injected into the browser’s DOM. By adjusting visibility (e.g., opacity settings) or overlaying malicious content, attackers can render extension prompts invisible yet still clickable. 

That means a single click on what looks like a harmless cookie consent banner or CAPTCHA challenge could silently trigger autofill and expose sensitive information to the attacker. 

Why It Matters: 

• Scope of exposure – Testing across 11 popular password managers revealed that all were initially vulnerable, representing ~40 million active installations across Chrome, Firefox, and Edge. 

• Severity of impact – In test scenarios, attackers could extract: 

• Credit card details including CVV (6 out of 9 password managers vulnerable) 

• Personal data like names, addresses, phone numbers, and DOBs (8 out of 10) 

• Login credentials and TOTP codes (10 out of 11) 

• Passkeys in certain cases, enabling session hijacking 

• Unpatched exposure remains high – Vendors including Dashlane, Keeper, NordPass, ProtonPass, and RoboForm have patched vulnerabilities. But 1Password, Bitwarden, LastPass, Enpass, iCloud Passwords, and LogMeOnce remain vulnerable, leaving 32.7M installations exposed as of August 2025. 

• Attack scenarios extend beyond malicious sites – Even if users only visit trusted domains, attackers can exploit XSS vulnerabilities, subdomain takeovers, or cache poisoning to inject malicious scripts into those trusted pages. Because password managers autofill across subdomains, a flaw on any subdomain could compromise an account at the parent domain. 

• Universal exploit potential – While the research focused on password managers, any extension that manipulates DOM elements-crypto wallets, note-taking apps, form fillers-may be equally vulnerable. 

How the Attack Works: 

1. Attacker-controlled or compromised websites create fake “intrusive elements” such as cookie banners, login dialogs, or CAPTCHAs. 

2. Extension autofill elements are injected into the DOM. 

3. Attackers manipulate visibility making extension UI invisible or hidden beneath overlays. 

4. Users click what they believe is a legitimate button. 

5. Extension autofill’s hidden forms with sensitive data. 

6. Attacker exfiltrates the data immediately via script. 

In one click, an attacker can capture personal data, credit cards, login credentials, or even 2FA codes. With two clicks, they can have both financial data and identity information. 

CYPFER’s Take: 
This is a strategic shift in attacker tradecraft. Traditional defenses focus on websites, not extensions. By pivoting to the browser extension layer, adversaries sidestep a decade of mitigations and strike directly at the tools we use to secure our digital lives. 

For organizations, this represents a single point of failure risk. Password managers centralize identity security. If the extension is compromised, every stored credential, and even second factors, can be harvested in minutes. 

What Organizations Should Do Now: 

• Audit extension usage – Know which password managers and add-ons are deployed across your enterprise. 

• Enforce updates – Require patched versions and confirm vulnerable versions are no longer in use. 

• Restrict autofill behaviors – Configure browser extensions to “on click” site access instead of automatic autofill. 

• Separate secrets – Avoid storing login credentials and 2FA codes in the same extension. 

• Update playbooks – Treat extension compromise as a distinct attack path in incident response planning. 

• Educate employees – Reinforce awareness that convenience features come with elevated risk. 

How CYPFER Can Help: 

 
At CYPFER, we move fast when zero-days break. Our teams provide: 

• Red Teaming for extensions and browsers – Simulating DOM-based clickjacking and extension exploitation.
• Identity ecosystem hardening – Stress-testing password managers, crypto wallets, and authentication flows.
• Incident response readiness – Updating IR playbooks to address extension compromise and credential theft at scale.
• Rapid monitoring & response – Detecting suspicious behaviors and containing attacker activity before it escalates.

The Bottom Line: 

Clickjacking isn’t dead, but it has been reborn at the extension layer. With over 32 million users still exposed, the attack surface for credential theft and identity compromise is massive and active. The threat is immediate. The time to act is now. Contact CYPFER now.