Jump to content
View in the app

A better way to browse. Learn more.
Enpass Discussion Forum

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.
We’re on Reddit now, Come and join us there!!

Update on DOM-Based Extension Clickjacking Vulnerability in Enpass Browser Extension (FIXED)

  •
Moderator
in Data Security

Featured Replies

Earlier this year, we learned about a browser extension vulnerability that could have exposed users to clickjacking. We acted promptly to investigate, patch, and ultimately release a complete fix. 

 

Here's what happened 

On April 7, 2025, security researcher Marek Tóth contacted Enpass to responsibly disclose a clickjacking vulnerability in the Enpass browser extension. 

Clickjacking is a web-based attack where a malicious site tricks users into clicking something unintended. In this case, a malicious webpage could exploit the vulnerability to trick a user into stealing a credential stored in Enpass by altering the attributes such as transparency of the inline autofill menu 

 

How We Responded Promptly 

As soon as we were notified, the Enpass team immediately acknowledged and began working on a fix. 

 

  • May 12, 2025 - We issued a partial fix in Enpass Browser Extension v6.11.4, which addressed cases where a malicious page or script could manipulate the transparency of input fields and the inline autofill menu. Thorough mitigation required additional efforts and hence, our engineers continued to work on a permanent fix.
  • August 13, 2025 - We rolled out the releases for all supported browsers via extension version 6.11.6 and later. The reporter has acknowledged that the fix works (check the related blog post). 

 

What You Should Do 

To stay protected, make sure you’ve updated to the latest version (6.11.6) of the Enpass browser extension.  

 

We extend our sincere appreciation to Marek Tóth who reported this issue responsibly.  

Guest
This topic is now closed to further replies.
Go to topic listing

Account

Navigation

Search

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.