Click on Studios, the developer of enterprise-focused password administration answer Passwordstate, stated it has launched security updates to deal with an authentication bypass vulnerability in its software program.
The problem, which is but to be assigned a CVE identifier, has been addressed in Passwordstate 9.9 (Construct 9972), launched August 28, 2025.
The Australian firm stated it mounted a “potential Authentication Bypass when utilizing a fastidiously crafted URL towards the core Passwordstate Merchandise’ Emergency Entry web page.”
Additionally included within the newest model are improved protections to safeguard towards potential clickjacking assaults aimed toward its browser extension, ought to customers find yourself visiting compromised websites.
The safeguards are doubtless in response to findings from security researcher Marek Tóth, who, earlier this month, detailed a way referred to as Doc Object Mannequin (DOM)-based extension clickjacking that a number of password supervisor browser add-ons have been discovered susceptible to.
“A single click on wherever on an attacker-controlled web site might permit attackers to steal customers’ information (bank card particulars, private information, login credentials, together with TOTP),” Tóth stated. “The brand new method is common and might be utilized to different varieties of extensions.”
In response to Click on Studios, the credential supervisor is utilized by 29,000 clients and 370,000 security and IT professionals, spanning international enterprises, authorities businesses, monetary establishments, and Fortune 500 firms.
The disclosure comes over 4 years after the corporate suffered a provide chain breach that enabled attackers to hijack the software program’s replace mechanism with the intention to drop malware able to harvesting delicate data from compromised techniques.
Then in December 2022, Click on Studios additionally resolved a number of security flaws in Passwordstate, together with an authentication bypass for Passwordstate’s API (CVE-2022-3875, CVSS rating: 9.1) that would have been exploited by an unauthenticated distant adversary to acquire a consumer’s plaintext passwords.
