Click on Studios, the developer of enterprise-focused password administration answer Passwordstate, stated it has launched safety updates to handle an authentication bypass vulnerability in its software program.
The high-severity challenge, which is but to be assigned a CVE identifier, has been addressed in Passwordstate 9.9 (Construct 9972), launched August 28, 2025.
The Australian firm stated it mounted a “potential Authentication Bypass when utilizing a rigorously crafted URL towards the core Passwordstate Merchandise’ Emergency Entry web page.”
Additionally included within the newest model are improved protections to safeguard towards potential clickjacking assaults geared toward its browser extension, ought to customers find yourself visiting compromised websites.
The safeguards are possible in response to findings from safety researcher Marek Tóth, who, earlier this month, detailed a way referred to as Doc Object Mannequin (DOM)-based extension clickjacking that a number of password supervisor browser add-ons have been discovered weak to.
“A single click on wherever on an attacker-controlled web site might enable attackers to steal customers’ knowledge (bank card particulars, private knowledge, login credentials, together with TOTP),” Tóth stated. “The brand new approach is common and will be utilized to different varieties of extensions.”
In line with Click on Studios, the credential supervisor is used by 29,000 prospects and 370,000 safety and IT professionals, spanning world enterprises, authorities companies, monetary establishments, and Fortune 500 firms.
The disclosure comes over 4 years after the corporate suffered a provide chain breach that enabled attackers to hijack the software program’s replace mechanism as a way to drop malware able to harvesting delicate data from compromised programs.
Then in December 2022, Click on Studios additionally resolved a number of safety flaws in Passwordstate, together with an authentication bypass for Passwordstate’s API (CVE-2022-3875, CVSS rating: 9.1) that would have been exploited by an unauthenticated distant adversary to acquire a consumer’s plaintext passwords.
