New attack method weaponizes privileged browser extensions

Security researcher Marek Tóth published technical details of a new browser-based attack vector following his presentation at DEF CON 33 in early August 2025.

The technique, known as DOM-based extension clickjacking, exploits the Document Object Model (DOM) to invisibly hijack user interactions with browser extensions, particularly those with elevated privileges such as password managers.

This method allows attackers to trigger sensitive actions like exporting credentials or modifying extension settings without the user’s awareness.

Unlike traditional clickjacking, which relies on visual deception by overlaying transparent frames or buttons on a webpage, DOM-based extension clickjacking manipulates the browser’s DOM to embed extension interfaces (e.g., popups or iframes) into hidden or off-screen elements.

These interfaces are rendered by the browser as part of the extension’s UI, not the webpage itself. A single click on an attacker-controlled element, such as an “Accept cookies” button, can activate privileged extension functionality without any visible indication to the user.

This technique bypasses conventional anti-clickjacking defenses that rely on visual cues, and enables attackers to trigger autofill actions that could leak sensitive information.

Tóth’s research demonstrated successful exploitation of 11 popular extensions, including password managers and developer tools, across Chromium-based browsers. He notified affected vendors in April 2025, including a warning on a public disclosure planned for August.

According to reporting by BleepingComputer, some vendors have issued patches, while others remain unpatched as of August 20. In the interim, Tóth recommends disabling autofill features in password managers and using manual copy/paste methods to reduce exposure.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

For enterprise environments, this attack underscores the need to treat browser extensions as privileged assets that require governance and monitoring. The technique bypasses many traditional defenses and is difficult to detect, making it a critical concern for organizations that rely on browser-based workflows.

While the attack is technically complex, its impact can be mitigated through layered security controls, proactive extension management, and user awareness.

To reduce exposure to DOM-based extension clickjacking, organizations should begin by auditing all browser extensions deployed across managed environments. Focus on extensions with elevated permissions, such as access to credentials, clipboard data, or internal APIs, and restrict installation to a vetted list of trusted tools. Enforce these controls using browser management policies, which are commonly available in Chromium-based browsers and enterprise MDM platforms.

Where feasible, disable or restrict extensions that expose UI elements via popups or iframes, as these are most vulnerable to DOM manipulation.

Security teams should also implement browser hardening measures. This includes:

• Disabling unnecessary APIs
• Enforcing strict Content Security Policies (CSP)
• Deploying browser isolation technologies for high-risk users

Extensions should be configured to require explicit user interaction for sensitive actions, and developers should adopt secure UI design practices that prevent off-screen rendering or hidden DOM elements. Monitoring browser telemetry for anomalous activity also helps to detect early signs of exploitation.

Until vendor patches are widely available, the researcher recommends disabling autofill features in your password manager extensions and rely on manual copy/paste for credential input.

However, using a standalone password manager—one that operates independently of the browser and does not rely on browser extensions—can offer stronger security in threat scenarios, such as DOM-based extension clickjacking.