Major Password Managers Can Leak Logins in Clickjacking Attacks

Posted5 months agoActive4 months ago

elric

11 points

2 comments

bleepingcomputer.comTechstory

skepticalnegative

Debate

0/100

Password ManagersSecurity VulnerabilitiesClickjacking Attacks

Key topics

Password Managers

Security Vulnerabilities

Clickjacking Attacks

Major password managers can leak logins in clickjacking attacks, raising concerns about their security.

Snapshot generated from the HN discussion

Discussion Activity

Light discussion

First comment

Peak period

4-6h

Avg / period

Key moments

01Story posted
Aug 21, 2025 at 3:24 AM EDT
5 months ago
Step 01
02First comment
Aug 21, 2025 at 9:17 AM EDT
6h after posting
Step 02
03Peak activity
1 comments in 4-6h
Hottest window of the conversation
Step 03
04Latest activity
Aug 21, 2025 at 11:34 PM EDT
4 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (2 comments)

Showing 2 comments

ziml77

5 months ago

1 reply

I'm confused about how this can actually do any damage when it comes to filling in passwords. If the password manager is suggesting to fill a password then it means you're on the site that password is valid for.

Sophira

4 months ago

As I understand it from reading the article, the sites that are vulnerable are specifically vulnerable to XSS (cross-site scripting) attacks. In other words, there are attacks from someone not affiliated with the site, and are getting the site to display things and execute scripts that shouldn't be on the site. And, presumably, these scripts will be able to send the leaked password elsewhere.

For example, say a site asked for your name and then displayed it. If the site allowed you to say that your name was "<script>console.log('XSS');</script>", and it didn't use HTML entities to encode the problematic characters, then the script would actually run on the page.

A malicious site might be able to abuse that functionality. If they convince you to click on a specially crafted link or button that sends a request to the other site, the malicious site might be able to run a script in the context of the other site that you didn't intend for it to run. That would then be a successful XSS attack, and is the kind of attack that's being mentioned here.

In this case, the attack sounds like it would leak the password that your password manager might autofill.

View full discussion on Hacker News

ID: 44970034Type: storyLast synced: 11/20/2025, 12:20:30 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN