Marek Tóth - DOM-based Extension Clickjacking

[Haio]

Czech Republic based security researcher Marek Tóth, unveiled a series of unpatched zero-day clickjacking security vulnerabilities impacting the browser-based plugins for a wide range of password managers:
https://marektoth.com/blog/dom-based-extension-clickjacking/

Is this now fixed in all Enpass Browser Extensions?
This is only mentioned in the release notes for the Chrome Extension (6.11.6):
„Fixed a clickjacking vulnerability in the extension by preventing popover windows from overlaying the inline menu (Reported by Marek Tóth)“

[syriusz]

Quote

Is this now fixed in all Enpass Browser Extensions?
This is only mentioned in the release notes for the Chrome Extension (6.11.6):

As I can see in release notes for all three Enpass extensions (Edge, Firefox and Chrome), all of them in version 6.11.6 have this item "Fixed a clickjacking vulnerability...":

https://www.enpass.io/release-notes/enpass-browser-extensions/

Anyway - thank you for sharing this issue!

[PWManager]

Does this issue also affect Safari on iOS, iPadOS and Mac? If so, has it been / will it be fixed?

Thanks

[Haio]

@syriusz
You're right, when I posted that, the updates for the extensions had not yet been released.

Edited August 22 by Haio

[rfzftz]

I've started a thread about this topic yesterday and it has been deleted silently without any comment.
From my optinion it is absolutely inaccaptable to handle security related topics in this way.
There is still no clear statement from Enpass regarding this vulnerability (especially for Safari).
I consider Enpass not longer to be trustworthy due to its handling of such issues.

Edited August 22 by rfzftz

[Tarun Singh Rawat]

Thank you for reaching out. Ensuring your security is our top priority.

We’ve released updates for all supported browsers starting with extension version 6.11.6. The issue has been confirmed as resolved by the original reporter (check the related blog post). 

To ensure your security, please update to the latest version (6.11.6) of the Enpass browser extension: https://www.enpass.io/downloads/

[rfzftz]

And why do you delete security related topics in the forum silently without any comment instead of handle them professionally?

Edited August 22 by rfzftz

[PWManager]

Sorry but I still have not seen a definitive response to the question whether this issue has been resolved for Safari. Or am I missing something? If no plan exists to resolve on Safari, does this mean that the Enpass browser extension is not secure for use with Safari and Apple users need to move to another password manager?

[Amandeep Kumar]

We understand the inconvenience and want to assure you that our team is aware of the Safari issue and working on a fix. Your data remains fully encrypted and secure, only certain Safari functionality is affected.

The Safari autofill extension is part of the macOS app bundle and will be released by the end of the month. Until then, you can disable the inline autofill popup in Safari Extension Settings ▶︎ “Show Inline Autofill Popup Menu” ▶︎ Off.

Thanks for your patience, we’ll update this thread once the fix is out.

[MrElectrifyer]

Came across the following article from another tech news reader:

DOM-based Extension Clickjacking: Your Password Manager Data at Risk | Marek Tóth

Looks like Enpass is one of the many password manager extensions affected:

Mitigation

Browser extension developers should focus on the following parts. The missing fix of one method leads to the extension remaining vulnerable.

Extension Element
• styles cannot be changed (MutationObserver)
• using "Closed Shadow-Root"

Parent Element
• BODY/HTML opacity detection
• using Popover API for extension should protect this method

Extension Overlay
• last DOM element detection (z-index conflict)
• popover elements listing - when the autofill menu is opened, check if any other "top layer" elements exist
→ if another element exists the autofill menu should close
→ or just don't show extension UI if exist "popover" element
• elementsFromPoint() can be used for partial overlay but cannot be used for popover elements (pointer-events:none are ignored)
→ The content script can temporarily remove pointer-events:none from all popover elements before filling in data, then check the "top layer" state using elementsFromPoint() and fill the data accordingly.

Doesn't exist simple protection.⚠️
Some platform-level support should be created - new browser API protection for this clickjacking technique.⚠️

The proposed solutions are still handled through javascript and conflicts may occur between exploit code and extension content script (extension white-box analysis can be made). The safest solution is to display a new popup window - but that will be very inconvenient for users. Alternatively, a context menu or a system dialog for autofill may then be displayed.

Consider addressing this issue ASAP Enpass team.

Edited August 27 by MrElectrifyer

[AnakinCaesar]

Maybe you should keep reading the Data Security forum posts here:

https://discussion.enpass.io/index.php?/topic/31873-update-on-dom-based-extension-clickjacking-vulnerability-in-enpass-browser-extension-fixed/

[MrElectrifyer]

59 minutes ago, AnakinCaesar said:

Maybe you should keep reading the Data Security forum posts here:

https://discussion.enpass.io/index.php?/topic/31873-update-on-dom-based-extension-clickjacking-vulnerability-in-enpass-browser-extension-fixed/

Great to see it's been addressed already, and my browser extension is up to date (v6.11.6), thanks.

[Tarun Singh Rawat]

@PWManager
We've released version 6.11.14 for the website version of Enpass, including updates to the Safari autofill extension. Please update your app and check if this resolves the issue. We’ll let you know when the App Store version is available.

[Sleepyhead]

Wait, so you were informed about this on April 7, 2025 and didn't inform users until August? And this information release was done in a forum post? This is unacceptable. If users were vulnerable until the fix released to users in late August users should have been notified via email prior to the fix so the extension could have been disabled.

If my understanding above is correct I must reevaluate my usage of Enpass.

[Sleepyhead]

To add: the clickjacking method was made public on 9 August 2025. Enpass released an update *after* this, which basically means this was a 0-day attack for anyone to utilise. Very irresponsible if my understanding here is correct.

[AnakinCaesar]

Seems like you dont understand the silent agreement in cyber security and how things are handled.
After a disclosure in private (April) Enpass rolled out a temporary fix in May. While working on a permanent solution, the world was notified, that this problem exists (August) and then Enpass rolled out a permanent fix just 4 days later (some popular managers still have no fix [1Password, LastPass, KeePass, iCloud]...)

This is still common and in my eyes quite a rapid reaction.

Also, change logs indicated the fix in May already.

There is a common ground that has to be found between telling users and risking "bad guys" actively acting on the notification and not telling the users and increasing the change of the vunerability not gaining a lot of attention. It's a fine line.

[Amandeep Kumar]

@Sleepyhead As soon as we were directly updated about this threat, our team worked quickly to release a fix that significantly mitigated clickjacking. Developing a permanent solution required additional time due to its complexity, but we delivered it in August, shortly after the threat became public. You can rest assured that at Enpass, protecting your data is always our top priority, and we remain committed to never letting you down. 

@AnakinCaesar Thank you for spreading awareness and for your support. We truly appreciate how you acknowledged and explained our efforts in this matter.