Some progress has been made with various Password Managers, sadly not all. Here is the current status.

Who has fixed it

• Dashlane: Smart Extension v6.2531.1 (Aug 1). Update in your store.

• Keeper: Extension fixes in v17.1.2 and hardening in v17.2.0.

• NordPass, Proton Pass, RoboForm: Vendors state patched. Check latest extension.

• Bitwarden: v2025.8.0 contains the fix. Make sure your store shows that version.

• Enpass: Release notes say Chrome v6.11.6 fixed clickjacking (others may lag). Verify per-browser.

Who hasn’t (or not fully)

• 1Password: No comprehensive extension patch; added a user-prompt mitigation.

• LastPass: No fix yet.

• LogMeOnce: No response reported.

• Apple iCloud Passwords extension (Chrome/Edge/Firefox): Listed as vulnerable.

Special note RE: Apple iCloud Passwords

• Safari on macOS/iOS: Keep using it. Safari’s built-in passwords are not the

  extension being targeted. Regardless I have turned off autofill.

• Other browsers: Unload/disable “iCloud Passwords” extensions until Apple patches. It is not safe yet.

• Make sure your Apple Devices are FULLY CURRENT and patched. There were important updates yesteday for other Zero Day vulnerabilities.

A new security flaw has been found in browser extensions, including many popular password managers. It uses a trick called clickjacking, where a website secretly hijacks your clicks. You think you’re clicking one thing, but behind the scenes, you’re actually opening your password manager—giving the site access to your saved passwords, payment cards, and multi-factor authentication codes.

Example

It’s like clicking a “close ad” button, but instead it silently opens your vault and exposes everything inside.

What to do right now

Until more details are confirmed, here’s the safe approach:

On your computer

• Disable autofill for passwords and credit cards in your browser and computer settings.

• Turn off or remove password manager browser extensions, just for now.

• Don’t click links. Verify them first, and manually type them into the address bar if you need to go there.

On your phone

• Also turn off autofill in your mobile browser and phone settings.

• Don’t trust in-app browsers or popups.

Private or incognito mode doesn’t protect you

Private or incognito mode doesn’t turn off autofill by default. Your saved credentials and cards can still fill in unless you’ve disabled them.

Test your settings

Here’s a simple test to check if autofill is truly off—on desktop or mobile:

1. Open your browser (regular and private/incognito).

2. Visit any login page (like Google or Facebook).

3. If anything fills in automatically—like your email, password, or card—autofill is still on.

If you see anything filled in, go back into your browser and password manager settings to turn autofill off. That’s the best way to lock things down.

Why it matters

This isn’t about someone guessing your password. It’s about a website tricking your browser into entering it for you.

Most password managers haven’t issued fixes yet. Some may not be able to.

As of August 20, 2025, only Dashlane, Keeper, NordPass, ProtonPass and RoboForm have confirmed a fix. Others—including, but not limited to: 1Password, LastPass, Enpass, iCloud Passwords, and LogMeOnce—still appear vulnerable. You’ll need to stay on top of the tools you use.

Final word

It’s early. But cautious users should assume the worst until more is confirmed.
Disable autofill everywhere. Use copy-paste from your vault if needed. It might feel like going back to the old days, but it’s safer for now.

We’ll update this as new info comes in.

Here’s what I’ve done on my network as a precaution:

• Moved all Sonos, Roku, and TV devices to a dedicated IoT VLAN. Only authorized devices can see them now.

• As a bonus, guests can no longer hijack the music or volume when visiting — which I appreciate.

• Apple TV remains on the main network so guests can still use AirPlay to cast to the Apple devices, and nothing else. I trust Apple’s security more than third-party vendors using their APIs, especially given the long delays in patching.

• Disabled AirPlay on all non-Apple devices (Roku and TVs) since we use Apple TV anyway — it’s safer this way.

• Kept all Apple devices fully patched and applied security settings I mentioned in earlier posts.

This setup might be overkill for some, and yes, configuring networks for Sonos and AirPlay can be pain. But it’s working well here, so far…. and it feels a lot more secure.

Some readers have suggested the risk is overblown, that an attacker would already need to be compromised, on the same Wi-Fi, and it doesn’t matter because their Apple devices are patched.

Maybe some of that is true, but it’s not the full picture.

Why I’m Following Up

If you’ve read the intro to this newsletter, you’ll know I don’t plan to post often. This isn’t a feed for weekly CVE (Critical Vulnerabilies and Exposures) dumps.

I started it because I used to send texts, emails, and WhatsApps to friends and family whenever a major Apple-related security issue came up, especially when the story wasn’t being fully told or the fix didn’t go far enough.

This is one of those moments.

We’ve heard crickets from third-party AirPlay device manufacturers. That silence is the problem, and it’s why I’m sending this follow-up.

It’s Not Just Your Apple Gear

Apple did a solid job here. They patched their OS, rolled out updates across iOS, macOS, and tvOS, and even pushed a patched SDK to third-party manufacturers.

But that’s where the trail ends.

We reviewed public documentation from dozens of major smart TV and speaker vendors over the weekend. The results?

• Most haven’t confirmed whether they’ve patched

• Some say they’re “investigating”

• Many have said nothing at all

In short, millions of third-party AirPlay devices remain in limbo, with no clear signal from their manufacturers about whether they’re patched, or even vulnerable.

This concern isn’t hypothetical. It’s real-world lateral movement waiting to happen.

Picture malicious code landing on your TV, turning it into a beachhead on your network,  scanning for vulnerabilities, quietly working its way in.… Or maybe they just wait, lying dormant until the next zero-day appears.

Either way, this one’s not safe to ignore.

What You Should Do Now

• Patch your Apple devices — all of them

• Turn off AirPlay on third-party (non-Apple) devices until the vendor explicitly confirms they’ve patched

• Avoid public Wi-Fi whenever possible. Assume it’s hostile

• Stick with Apple AirPlay hardware for now if you need AirPlay, and keep it up to date

All of your AirPlay devices need to be fully patched, and that includes all those silent third-party vendors.

Until then, assume silence means not fixed.

You can find the original post here:

Disclaimer

The content shared through this newsletter is provided for general informational purposes only and does not constitute professional cybersecurity advice. While I make every effort to ensure the information is accurate, timely, and relevant, I cannot guarantee its completeness or currency. Readers should not rely solely on this content when making security-related decisions. No warranties are offered or implied. Just best efforts, based on experience and good judgment.

No clicks. No prompts. No warnings.

This vulnerability, dubbed “Airborne,” affects AirPlay and other local discovery services — and it’s serious.

Even if your devices are fully patched, a compromised phone or smart TV on the same network could be enough to expose you to:

🔻 Data theft

🔻 Remote code execution

🔻 Lateral movement across your network

What You Can Do Right Now:

On iPhone / iPad:

• Upgrade to the latest iOS version

• Go to Settings > General > AirPlay & Continuity

• Set Automatically AirPlay to TVs → Never

• Toggle Airplay Receiver → Off

On Mac:

• Upgrade to the latest macOS version

• Go to System Settings > General > AirDrop & Handoff

• Toggle AirPlay Receiver → Off

• Make sure your Firewall is On

On Apple TV:

• Upgrade to the latest tvOS version

• Go to Settings > AirPlay and HomeKit

• Set AirPlay → Off or Same Network Only

• Set Allow Access → Only People Sharing This Home
  

🔐 Lock Down Your Network:

• Set up a fully isolated guest network - a guest should only be able to see the internet, not your internal devices. - FYI - While I have this, I do not enforce this. For now, I am accepting the risk.

• Remove or retire any unpatchable AirPlay devices - this includes Smart TV’s and Speakers
  

• If it’s on your Wi-Fi and you don’t recognize it, disconnect it - and block it.

If you want more info, you can find it here: Oligo Security

If Apple already patched the issue, why is this still a concern?

Apple did patch their own devices — anything they manufacture with AirPlay has been secured. They’ve also updated their third-party software development kit (SDK), so the fix is technically available. But that’s only part of the story.

There are millions of third-party TVs, speakers, and streaming devices that support AirPlay — and Apple can’t patch those directly. It’s now up to each individual manufacturer to implement the fix. Until that happens — or until Apple gives us a way to block connections to unpatched devices — the vulnerability remains partially open.

So we’re left with a choice:

Convenience vs. security.

We shouldn’t have to choose — but for now, we do.

Subscribe now

I’ve been sending texts, emails, and late-night WhatsApps to friends and family for years — every time a major digital security issue popped up, mostly when Apple devices were involved and I felt like the threat wasn’t fully fixed, required extra steps, or just was worth paying close attention to.

It was time-consuming. And people would always ask, “Can I forward this?”

This newsletter is my way of making that easier. I’m working off a basic assumption: that you already keep your devices — Apple devices — up to date with the latest software and security updates.
If I think something’s serious enough to interrupt your day — like the recent Airborne vulnerability — you’ll hear from me. If not, I’ll stay quiet. This won’t be a noisy newsletter. It might go silent for weeks. But when it lands, it’s worth your time.

What to Expect

• ✅ Clear, plain-English updates

• ✅ A primary focus on Apple products

• ✅ Posts only when it matters

• ❌ No geek speak

• ❌ No content filler or endless CVE analysis

📬 Expect updates only when needed — not daily, not weekly.
I’m not here to create noise. I’m here to flag what I’d want my friends to know.

Subscribe now

Disclaimer: This newsletter is for informational purposes only and does not constitute professional cybersecurity advice. While I make every effort to share timely and relevant information, I make no guarantees as to its completeness, accuracy, or currency. The content may not reflect the latest developments and should not be relied on as a sole resource for security decisions.