This vulnerability was discovered by security researchers from The Hacker News. The following password managers have affected browser extensions that are based on DOM (Document Object Model):
- 1Password
- Bitwarden
- Dashlane
- Enpass
- iCloud Passwords
- Keeper
- LastPass
- LogMeOnce
- NordPass
- ProtonPass
- RoboForm
The important part:
Bitwarden has provided a new version of its plugin that addresses the problem.
FTW 🤘🏼
The only real fix to this is to have the extensions confirm that they want their information to autofill. We have come full circle. Users do not like having to confirm autofill on every page.
Also, clickjacking isnt limited to password managers. Even if a user is very careful and manually enter credentials themselves, this can still affect them.
If you do not have autofill enabled, then you are not affected by this vulnerability. It has been recommended for years to not use autofill. Always clickfill your data when you know you are at the trusted destination.
If that’s the issue, why is ProtonPass on the list? It doesn’t have autofill as far as I know.
It does, they even list it as a feature on their front page.
I wasn’t able to find it for my father.
He decided he was willing to switch without it.
Laughs in KeePass
This is why I don’t use a password manager. I just keep a plain text doc in my OneDrive® so I have the one password I use for everything where ever I need it.
Me reading your comment:
I suggest replacing OneDrive® with a public paste on pastebin. That way you won’t have to remember the password for your Microsoft account.
I tried that, but my password always kept changing to dead links for torrent trackers.
checks the list
no keepass
my only allowed work pc password manger is on the list
Good to know I’m unaffected ☺️
pc password manger
PW: !babyJ3sus123! 😜
I read an article about this a week ago and it said most of them already patched it.
There is an image in this article, showing nearly half of them have already.
They also say bitwarden is fixed but the image disagrees
I deliberately chose KeePass with no Webbrowser extension and no cloud service that other password managers and password manager services provide to reduce risks.
Webbrowsers are very interconnected tech with non-obvious relations and risks. Having my webbrowser access my password database feels inherently irritating.
Webbrowser’s own password managers with optional sync have the benefit of auto-fill only being offered for the correct domain names. But I’d never store my critical passwords in them.
Having to launch a separate password manager, enter a long master key, and then copy-paste/trigger-auto-type the content from it is cumbersome, but the only way to add a reasonable robust separation.
I am once again asking what are the benefits of integrating your password manager into your browser? You can do all of the link verification you want outside of password manager integration.
Because i think that my Clipboard is also not secure. There are so many applications that prefill when they detect something in your clipboard that i prefer to skip this step.
You should try what another person on here does and store them in a “trusted” microsft cloud drive \s
In KeePass you can use auto-typing or the clipboard. Evading the clipboard is certainly good security practice.
Browsers are insanely complex pieces of software with millions of lines of code. Clipboards have a much smaller attack vector than an entire web browser. And if you’re concerned with security you should be using wayland, which I believe mitigates a lot of input access to many applications. I am trying to do reading to find some citations on this. Furthermore, password managers will automatically clear the clipboard after a few seconds as well. If you believe you are running malicious applications that are already monitoring all of your data like some sort of keylogger, then your web browser is already lost.
The clipboard is about the weakest of all points of ‘security’.
Any program or app can just poll and even alter the clipboard to see when the copied data changes, and copy the newly changed data, and even modify it, or store it in a hidden/online database.
I did this for legit local purposes, to do things like type a math formula into notepad, cut it into the clipboard, and the background service could solve the formula, then when you paste it back in, the clipboard data now contains the solution to 355/113…
The clipboard is like the absolute last place you want to copy your private information, because basically anything can access it with ease.
https://emersion.fr/blog/2020/wayland-clipboard-drag-and-drop/
The source client needs to be the currently focused application. This prevents background applications from unexpectedly changing the clipboard contents right before the users pastes it.
The destination client needs to listen to wl_data_device events to keep track of the current clipboard contents. The destination client will only receive such events if it’s focused. This prevents background applications from arbitrarily reading the clipboard (which may contain sensitive data such as passwords).
The graphical application must be in focus to gain access to the clipboard, and wayland is designed to prevent such focus stealing*. As mentioned earlier, password managers such as keepassxc will automatically clear your clipboard after copying sensitive data - this is a configurable behavior. This means that no other application should have the opportunity to steal focus, and your clipboard should be cleared of sensitive content before you open up a privacy dismissive application that wants to surveil your clipboard.
*I need to do a bit more digging to find further verification of this focus stealing prevention behavior of wayland, and if I can find that information I will cite here.
I noticed you were discussing the “notepad”, are you talking about the windows operating system? I cannot speak on its clipboard management, unfortunately. That said, I would not run the windows operating system if I cared about privacy. The erosion of privacy destroys any semblance of security, eh?
Edit: Following up, I did find some information from the vim text editor that discusses stealing focus in wayland. You can read about it here https://vimhelp.org/wayland.txt.html#wayland-focus-steal . So far, it appears as though applications do not have access to the clipboard unless focused, which is a design on wayland’s part to secure this. However, vim is showcasing a way to steal focus and thus subvert this security effort? It does note that if you are in a full screen mode then it cannot steal focus. Anyway, more reading to be done still. There appears to be methods of determining an application is doing this “focus stealing”
Note that this method can have several side effects from the result of focus stealing. For example, if you have a taskbar that shows currently opened apps in your desktop environment, then when Vim attempts to steal focus, it may “flicker,” as if a window was opened then immediately closed after.
So with this behavior in mind, and with the way the clipboard works, no application would know what contents are inside the clipboard until in focus. Therefor an application would either have to “guess” when sensitive content is available, or steal focus quite often. The former being unlikely, and the latter most likely being able to be detected by the user.
Indeed I was referring to what I’m more familiar with regarding the clipboard, Windows, more particularly XP era.
It’s really neat and handy what all honest and local background services can do with an open clipboard, but yeah it’s also a total security nightmare when used nefariously.
I don’t know all that much about any newer versions of Windows, as I switched to Linux after the Windows 8 disaster came out.
I’m also not familiar with Wayland quite yet, though I’ve heard of it for a few years now. Anyways, I just play it safe and never copy any personal information into the clipboard, nor do I use a password manager, that’s what I have good brain memory for…
Thank you making me smarter!
There is one thing i don’t understand though. Wouldn’t the password manager need to have its window focused to clear the clipboard? And wouldn’t that allow any focused window to extract the information in the mean time?
Any time, we’re all in this together after all. I needed to learn some here as well, and if anybody comes by with follow up knowledge it is welcome.
As far as wayland works, source clients (the application you copy from) can clear the clipboard without stealing the focus. Note that if you copy from another client, the source client is now changed to the new one and the password manager will no longer be able to clear your clipboard. And this behavior is easily verifiable.
Unfortunately I am unsure if any focused application obtains access to clipboard content immediately or if the user needs to initiate some sort of
Ctrl+vbehavior. This would need to be followed up on. However, that is why I give my password manager a 10 second timeout to clear the clipboard. Honestly it could be shorter. But I do not alt tab through a bunch of random applications in the mean time. Typically I go straight to where the authentication is needed, and nowhere else. Meaning my clipboard should be cleared of sensitive data before I ever give clipboard access to another app.Better than other graphical compositors which simply broadcast your clipboard content to the entire ecosystem.
So where we’re at is 1) do apps get access to the clipboard immediately upon focus, and 2) what is happening where it appears some applications have hacked a way to steal focus.
Passkeys don’t seem vulnerable to this. Why we still have username/password combos in 2025 is beyond me.Edit: Downvoted myself because I’m obviously wrong.
Passkeys were very much vulnerable, based on the original articles charts.
I guess I’ve never understood how storing all of your password behind one password is the slightest bit secure.
