Back to the blog
Dr. Dominik Schürmann
August 21, 2025

Analysis of DOM-based Extension Clickjacking

At DEF CON 33, a new attack technique against password managers was presented: DOM-based Extension Clickjacking (marektoth.com, socket.dev). We reviewed the scenarios and found:

  • heylogin is not vulnerable in the critical attack scenarios.
  • In some relevant cases, there are low-severity vulnerabilities which we are already reviewing and will fix shortly.
  • In general: Websites can only access information through our browser extension that is already intended for that site. Therefore, we do not see this as a dramatic security issue.

Technical details

  • Attacks via vulnerable websites (e.g., with XSS): Generally speaking: if a website has an XSS vulnerability (Cross-Site Scripting, a vulnerability that allows attackers to execute foreign scripts in the context of the affected page), this poses a risk for all password managers. Moreover, a successful XSS attack is already a severe security flaw on its own. Attackers could directly access form data. In this case, going through clickjacking provides no additional benefit.
  • Attacks via malicious websites: For heylogin, there is no risk here, since we currently do not auto-fill credit card or personal data, but only provide them via Quick Access. This means such data cannot be intercepted on foreign websites.

Types

  • Extension Element
    • Root Element: potential vulnerability, only in combination with XSS (low severity)
    • Child Element: not applicable to us
  • Parent Element
    • BODY: not applicable to us
    • HTML: potential vulnerability, only in combination with XSS (low severity)
  • Overlay
    • Partial Overlay: potential vulnerability, only in combination with XSS (low severity)
    • Full Overlay: potential vulnerability, only in combination with XSS (low severity)

Conclusion

heylogin is not vulnerable in the critical attack scenarios. In the areas where we are affected, these are low-severity vulnerabilities, for which we are promptly implementing fixes.

Timeline

  • August 21, 2025: We became aware of the research.
  • August 21, 2025: Publication of this blog post with our initial assessment.
  • Since August 21, 2025: We are actively working on fixes for the identified vulnerabilities.

Further information:

Start now with heylogin

Start for freeBook a DemoStart for free