A new clickjacking vulnerability in password managers was recently discovered that can reveal sensitive data like login credentials, 2FA codes, and even credit card information. Thankfully, most password managers have already been patched, but it’s an important reminder to never rely on just one security layer!
What is Clickjacking?
Attackers can embed invisible login forms into malicious websites. When users click anywhere on the page—such as to dismiss a pop-up—the password manager may auto-fill credentials into these hidden forms, which are then stolen.
Am I Affected?
Keeper, the password manager we recommend and manage for our clients, was affected by this exploit. They already fixed the issue in version 17.1.2, so if your Keeper extension is version 17.1.2 or higher, you are safe! Here’s how to check: Keeper Help Guide.
What This Means for Your Security
This serves as an important reminder that you cannot rely on any single layer of security. Any one tool can fail, so a layered security approach is the best way to stay protected.
- Use multifactor authentication for all logins
- Keep software and extensions updated
- Use your firewall’s web content filter to prevent traffic from going to suspicious websites
- Strictly manage permissions to limit the damage a compromised account can do
By layering your security, you can cover gaps without relying on a single point of failure. After all, you wouldn’t give a hacker just one hurdle to jump. You want them to have as many opportunities to trip as possible!
