Is your password manager under threat?

Password managers are great – we love them. And that’s for two reasons. Firstly, for convenience. Everything in one place, autofilling fields when you need them. Secondly, security. Again, everything in one place, and not scattered about in notes apps, on scraps of paper or a badly hidden Word document.

The trouble is, they’re not perfect. Even password managers are susceptible to nefarious acts, and this latest browser-based hack is a pretty nasty one. In simple terms, if you have a browser extension for your password manager, this hack “clickjacks” your cursor and tricks you into sharing your login information or card details.

So how does it do it?

It’s frustratingly straightforward. There are hidden fields on the website, often disguised as regular UI elements like an “accept cookies” button or a harmless pop-up.

Upon clicking, the fields trick the password manager into sharing data, the same way it would in a genuine login field or payment field.

And that’s it. The damage is done. The site has your details, and you are none the wiser.

Different password managers handle fields in different ways, but for the most part, this affects all password managers in some way or another. So, whether you’re using 1Password, Bitwarden, or any other browser extensions of this kind, be wary.

What can I do?

Well, for now, we wait. The onus is currently on the app developers to issue software updates. Keep a close eye on release notes so that you know exactly when this vulnerability has been fixed.

Until then, switch off autofill and tread gingerly, wherever you are on the web. That’s right, don’t get complacent. It doesn’t have to be a random or unknown site – this can happen to you anywhere.