Independent Audit Finds Critical Vulnerabilities in Popular Password Manager Extensions
A comprehensive security audit of browser extensions for five major password managers has revealed critical vulnerabilities that could expose user credentials.
An independent security audit commissioned by the Electronic Frontier Foundation has uncovered critical vulnerabilities in browser extensions for five of the most popular password managers, potentially exposing millions of users to credential theft.
The audit, conducted by NCC Group, examined browser extensions for LastPass, 1Password, Bitwarden, Dashlane, and Keeper. While the severity of findings varied by vendor, all five extensions contained at least one high-severity vulnerability.
"Browser extensions operate in a highly privileged environment with access to sensitive data across all websites," said the audit report's lead author, Jennifer Fernick. "The attack surface is significant, and we found that not all vendors have adequately addressed the unique risks."
The most serious finding involved a vulnerability in one vendor's extension that could allow a malicious website to extract passwords from the user's vault without any user interaction. The vendor has issued a patch and stated that there is no evidence of exploitation in the wild.
Other findings included clickjacking vulnerabilities, improper input validation, and weaknesses in how extensions communicate with native applications.
All five vendors were notified of the findings under a coordinated disclosure process and have issued patches addressing the identified vulnerabilities.
"Users should ensure their password manager extensions are updated to the latest versions," said EFF's Director of Cybersecurity Eva Galperin. "Despite these findings, password managers remain significantly more secure than password reuse or weak passwords."
The full audit report, including technical details and remediation guidance, is available on the EFF's website.