This vulnerability was discovered by security researchers from The Hacker News. The following password managers have affected browser extensions that are based on DOM (Document Object Model):
- 1Password
- Bitwarden
- Dashlane
- Enpass
- iCloud Passwords
- Keeper
- LastPass
- LogMeOnce
- NordPass
- ProtonPass
- RoboForm
The only real fix to this is to have the extensions confirm that they want their information to autofill. We have come full circle. Users do not like having to confirm autofill on every page.
Also, clickjacking isnt limited to password managers. Even if a user is very careful and manually enter credentials themselves, this can still affect them.
If you do not have autofill enabled, then you are not affected by this vulnerability. It has been recommended for years to not use autofill. Always clickfill your data when you know you are at the trusted destination.
If that’s the issue, why is ProtonPass on the list? It doesn’t have autofill as far as I know.
It does, they even list it as a feature on their front page.
I wasn’t able to find it for my father.
He decided he was willing to switch without it.