For years, password managers have been promoted as one of the safest ways to store and manage login details. They keep everything in one place, help generate strong credentials, and protect against weak or reused passwords. But new research has uncovered a weakness in several widely used browser extensions that could expose sensitive information for millions of people.
Details about the flows
Security researchers recently found that 11 different password manager extensions share a vulnerability linked to the way they rely on the Document Object Model (DOM). The DOM is part of how web pages are structured, and in this case, it opens a door to a technique known as “clickjacking.”
Clickjacking works by tricking users into clicking on invisible or disguised elements of a web page. For example, a malicious site may look legitimate but contain hidden layers. A single misplaced click can unintentionally activate the password manager’s autofill function. Once that happens, the manager may begin entering saved credentials directly into the attacker’s page.
The danger lies in how quietly this happens. Users often close the site without realizing that their passwords or even stored credit card information and personal details like addresses or phone numbers may already have been copied by attackers.
The scale of the issue
The affected list includes s
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: