🔒 Password managers and Passkeys: they are not invulnerable, as two recent discoveries demonstrate

  

In recent years, we have witnessed a significant evolution in digital security: password managers and passkeys have been presented as innovative solutions to minimize the risks associated with the use of weak or reused passwords. However, recent research presented at DEF CON 33 demonstrates that even these technologies are not free from vulnerabilities. And this should give us pause: no solution is ever completely secure.

🔗 Do you like Techelopment? Check out the site for all the details!

🔏 Password managers vulnerable to “DOM-based Extension Clickjacking”

An attack demonstrated by researcher Marek Tóth has highlighted a new type of threat: DOM-based Extension Clickjacking.
This is a variant of traditional clickjacking, in which a user is tricked into clicking on a seemingly harmless element (for example, a cookie banner or a CAPTCHA), but in reality their click is intercepted and redirected to an invisible browser interface.

In this specific case, the target was password managers: the click could induce the extension to Autofill login fields and, as a result, send credentials, 2FA codes, payment details, or even passkeys directly to attackers.

According to the researcher, ten of the most popular password managers were vulnerable, including 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce. Some providers—such as Dashlane, NordPass, ProtonPass, RoboForm, and Keeper—have responded quickly by releasing corrective patches, while others are still working to mitigate the issue.

The practical advice, while waiting for all the fixes to be distributed, is simple: disable automatic autofill and only use credential filling when explicitly requested via the extension icon.

🔐Passkeys aren't as secure as they seem

Password managers aren't the only ones in the spotlight. Another study, presented by researcher Shourya Pratap Singh (SquareX), has raised doubts about the robustness of passkeys, considered by many to be the definitive evolution of passwords.

The problem isn't the cryptographic core of passkeys—based on asymmetric key pairs, which is inherently very secure—but rather the context in which they are managed: browsers.
If a malicious extension or script manages to infiltrate the registration process, it can replace the user's legitimate key with one under its control. In this way, the authentication system is compromised at its root, without the user realizing it.

This discovery doesn't mean that passkeys should be abandoned, but it reminds us that their security depends largely on the reliability of the environment in which they are generated and used.

🦉 No technology is infallible

These two cases demonstrate that even the most advanced solutions can be targeted. This isn't to question the validity of password managers or passkeys, but to remember that every innovation also introduces new attack surfaces.

For users, the main recommendations remain:

• Constantly update password managers, browsers, and extensions.
• Limit automatic autofill and use it only when strictly necessary.
• Pay attention to the extensions you install and only download them from trusted sources.
• Don't let your guard down: no technology allows you to abandon personal vigilance.

Conclusion

Password managers and passkeys certainly represent a step forward compared to the use of traditional passwords, but they should not be considered "hardened." As evidence from DEF CON 33 demonstrates, attackers are always finding new ways to bypass security systems.

The lesson is simple:

cybersecurity is never definitive, but a continuous process of updates, awareness, and best practices.

References

1. Password managers vulnerable to a new form of clickjacking: the details
2. Maybe passkeys aren't as secure as they seem

Follow me #techelopment

Official site: www.techelopment.it
facebook: Techelopment
instagram: @techelopment
X: techelopment
Bluesky: @techelopment
telegram: @techelopment_channel
whatsapp: Techelopment
youtube: @techelopment