URGENT - New Browser Exploit Affects Password Managers
What You Need to Know
Developing Situation | August 20, 2025
Referenced from: The Hacker News
A new security flaw has been found in browser extensions, including many popular password managers. It uses a trick called clickjacking, where a website secretly hijacks your clicks. You think you’re clicking one thing, but behind the scenes, you’re actually opening your password manager—giving the site access to your saved passwords, payment cards, and multi-factor authentication codes.
Example
It’s like clicking a “close ad” button, but instead it silently opens your vault and exposes everything inside.
What to do right now
Until more details are confirmed, here’s the safe approach:
On your computer
Disable autofill for passwords and credit cards in your browser and computer settings.
Turn off or remove password manager browser extensions, just for now.
Don’t click links. Verify them first, and manually type them into the address bar if you need to go there.
On your phone
Also turn off autofill in your mobile browser and phone settings.
Don’t trust in-app browsers or popups.
Private or incognito mode doesn’t protect you
Private or incognito mode doesn’t turn off autofill by default. Your saved credentials and cards can still fill in unless you’ve disabled them.
Test your settings
Here’s a simple test to check if autofill is truly off—on desktop or mobile:
Open your browser (regular and private/incognito).
Visit any login page (like Google or Facebook).
If anything fills in automatically—like your email, password, or card—autofill is still on.
If you see anything filled in, go back into your browser and password manager settings to turn autofill off. That’s the best way to lock things down.
Why it matters
This isn’t about someone guessing your password. It’s about a website tricking your browser into entering it for you.
Most password managers haven’t issued fixes yet. Some may not be able to.
As of August 20, 2025, only Dashlane, Keeper, NordPass, ProtonPass and RoboForm have confirmed a fix. Others—including, but not limited to: 1Password, LastPass, Enpass, iCloud Passwords, and LogMeOnce—still appear vulnerable. You’ll need to stay on top of the tools you use.
Final word
It’s early. But cautious users should assume the worst until more is confirmed.
Disable autofill everywhere. Use copy-paste from your vault if needed. It might feel like going back to the old days, but it’s safer for now.
We’ll update this as new info comes in.