Article Details
Scrape Timestamp (UTC): 2025-08-29 10:00:36.391
Source: https://thehackernews.com/2025/08/click-studios-patches-passwordstate.html
Original Article Text
Click to Toggle View
Click Studios Patches Passwordstate Authentication Bypass Vulnerability in Emergency Access Page. Click Studios, the developer of enterprise-focused password management solution Passwordstate, said it has released security updates to address an authentication bypass vulnerability in its software. The issue, which is yet to be assigned a CVE identifier, has been addressed in Passwordstate 9.9 (Build 9972), released August 28, 2025. The Australian company said it fixed a "potential Authentication Bypass when using a carefully crafted URL against the core Passwordstate Products' Emergency Access page." Also included in the latest version are improved protections to safeguard against potential clickjacking attacks aimed at its browser extension, should users end up visiting compromised sites. The safeguards are likely in response to findings from security researcher Marek Tóth, who, earlier this month, detailed a technique called Document Object Model (DOM)-based extension clickjacking that several password manager browser add-ons have been found vulnerable to. "A single click anywhere on an attacker-controlled website could allow attackers to steal users' data (credit card details, personal data, login credentials, including TOTP)," Tóth said. "The new technique is general and can be applied to other types of extensions." According to Click Studios, the credential manager is used by 29,000 customers and 370,000 security and IT professionals, spanning global enterprises, government agencies, financial institutions, and Fortune 500 companies. The disclosure comes over four years after the company suffered a supply chain breach that enabled attackers to hijack the software's update mechanism in order to drop malware capable of harvesting sensitive information from compromised systems. Then in December 2022, Click Studios also resolved multiple security flaws in Passwordstate, including an authentication bypass for Passwordstate's API (CVE-2022-3875, CVSS score: 9.1) that could have been exploited by an unauthenticated remote adversary to obtain a user's plaintext passwords.
Daily Brief Summary
Click Studios has issued a security update for Passwordstate, addressing an authentication bypass vulnerability in its Emergency Access page, enhancing the software's security posture.
The vulnerability, not yet assigned a CVE, was patched in Passwordstate 9.9 (Build 9972), released on August 28, 2025, to prevent unauthorized access.
The update also includes improved defenses against clickjacking attacks on its browser extension, protecting users from potential data theft on compromised sites.
Security researcher Marek Tóth identified the clickjacking threat, which could allow attackers to steal sensitive information, including login credentials and personal data.
Passwordstate is utilized by 29,000 customers worldwide, including major enterprises and government agencies, underscoring the importance of timely updates.
This patch follows past security incidents, including a 2022 authentication bypass and a 2021 supply chain breach, highlighting ongoing vigilance in securing password management solutions.
Organizations using Passwordstate are advised to apply the latest updates to mitigate potential security risks and protect sensitive information.