Overview

• Tóth’s DEF CON 33 presentation and blog detail tests of 11 popular extensions, finding vulnerabilities across the board and nearly 40 million active installations.
• The technique uses hidden or transparent overlays to redirect clicks to extension-injected controls, enabling one-click data exfiltration on malicious or XSS-compromised pages.
• Fixes have shipped for Dashlane, NordPass, ProtonPass, RoboForm, and Keeper, while Bitwarden says version 2025.8.0 with a fix is rolling out this week.
• 1Password, iCloud Passwords, Enpass, LastPass, and LogMeOnce are reported as still vulnerable; 1Password and LastPass labeled the report informative, and LogMeOnce says a security update is in progress.
• Socket independently verified the findings, contacted US-CERT to request CVE identifiers, and users are urged to disable autofill, use copy/paste, or set extension access to on-click.