Clickjacking: Zoho Vault's Response

Clickjacking: Zoho Vault's Response

Issue: Password manager browser extensions are found to be vulnerable to clickjacking security vulnerabilities that could allow attackers to steal account credentials, TFA codes, and card details under certain conditions.

Reported by: Marek Toth, Independent Security Researcher in DEF CON 33 on August 18, 2025.

How does it impact Zoho Vault?
  • The Zoho Vault browser extension will not automatically auto-fill login credentials.
  • It will auto-fill login credentials based on user interaction.
  • For example, when a user lands on xxx.google.com, the Zoho Vault browser extension will list all passwords matching google.com, and the user must manually click on the correct account to log in.
  • There has been minimal impact on login credentials for clickjacking.
Steps taken by Zoho Vault:
  • Our team identified this vulnerability via news on August 20, 2025.
  • On the same day, our team started working on the hot fix for all of the browser extensions and uploaded it to the respective browser stores on August 23, 2025.
  • It was reviewed by the respective stores and released as below:
    • Firefox: August 23, 2025
    • Edge: August 24, 2025
    • Chrome: August 25, 2025
    • Safari: August 26, 2025
  • Users will be automatically moved to the latest version of the browser extension.
  • We have been transparent with our users about the reported issue and have updated them throughout this period.
What is fixed?
  • Fake websites can no longer load Zoho Vault browser extensions' automatically.
  • Fake websites can no longer hide or alter the visibility of Zoho Vault browser extensions.
At Zoho, we care about our users' security and privacy. If you have any questions regarding this issue or need any assistance, write to support@zohovault.com.


      • Sticky Posts

      • Free webinar—Redefining workforce security with Zoho Vault: Passwords, passkeys, and multi-factor authentication

        Hi everyone! Did you know that in Q2 alone, 94 million data records were leaked globally? Behind every breach is a combination of poor password habits, phishing attacks, privilege misuse, and simple human error. The fallout—including reputational damage,

      • Introducing SecureForms in Zoho Vault

        Hey everyone, Let’s face it—asking someone to send over a password or other sensitive data is rarely straightforward. You wait. You nudge. You follow up once, twice—maybe more. And when the information finally arrives, it shows up in the worst possible

      • Join our World Password and Passkey Day expert Q&A 2025

        Hey everyone! World Password and Passkey Day is almost here, and there's no better time to talk about something we all rely on daily—secure authentication. Did you know that a staggering 60% of hacking-related breaches are tied to weak or stolen passwords?

      • Zoho Vault: A look at what's new for iOS, iPadOS, and macOS

        Hi everyone, At Zoho Vault, we constantly aim to improve your security experience. Based on both internal and external feedback, we have recently rolled out updates across our iOS, iPadOS, and support for macOS platforms. Introducing the desktop app for

      • iOS 12 update: Introducing autofill passwords and Siri Shortcuts in Zoho Vault

        With this iOS 12 release, Zoho Vault users can now autofill usernames and passwords on Safari and other third-party apps. Users can enjoy a seamless login experience to their everyday apps without compromising security and also access passwords stored in Zoho vault with Siri Shortcuts by adding personalized phrases. How to enable autofill password on your iOS device? First, you need to update your device to iOS 12.  Apple recommends you to take a backup before you update your device to the latest

        • Recent Topics

        • How can I bold text on Zoho Forms submit buttons?

          In the old theme builder, I could bold the text on a form's submit button. With the new theme builder, I can only change the text of the header or fields in the form, and not the button itself.

        • Zoho Commerce in multiple languages

          When will you be able to offer Zoho Commerce in more languages? We sell in multiple markets and want to be able to offer a local version of our webshop. What does the roadmap look like?

        • Outdated state in mexico

          Hello Zoho team, the drop down to add the state for customers, when they introduce their state in mexico has a city named “Distrito Federal” that name changed many years ago to “ciudad de mexico”. could you please update this so my clients can find the

        • Urgent Zoho Creator down!!!???

          Now my zoho creator faced this issue. Anyone has idea? Urgent!!!

        • Default Sorting on Related Lists

          Is it possible to set the default sorting options on the related lists. For example on the Contact Details view I have related lists for activities, emails, products cases, notes etc... currently: Activities 'created date' newest first Emails - 'created

        • Using IMAP configuration for shared email inboxes

          Our customer service team utilizes shared email boxes to allow multiple people to view and handle incoming customer requests. For example, the customer sends an email to info@xxxx.com and multiple people can view it and handle the request. How can I configure

        • The Social Wall: September 2025

          Hello everyone, As we step into the fall season, some major updates are on the horizon. Meanwhile, here are the exciting updates we rolled out this September. Approvals in iOS Managing approvals just got more seamless on mobile. With this update, the

        • Display Client Name in Zoho Creator Client Portal Dashboard

          Hello Zoho Creator Team, We hope you are doing well. Zoho Creator recently introduced the option to set a client’s display name in the Client Portal settings, which is very helpful for providing a personalized portal experience. However, there is currently

        • Introducing Detailed View for Candidates in Vendor Portal

          We’ve added a new Details sub-tab inside the Vendor Portal to help vendors easily view complete candidate information after submission. With this update, vendors can now access all candidate details, from personal information to associated job openings,

        • Zoho One Down

          Zoho Team, Checking if when the services up - currently Zoho One is down

        • Custom View of tickets created today

          How can I create a custom view that list all my ticked created in the current date? Currently, if I select the "Created Time" criteria, the "Current Time" option does not work as today. Actually, I don't know how it works this "Current Time".

        • Weekly Tips : Customize your Zoho Mail Notifications

          In a professional context, email communication remains one of the most crucial channels for staying connected and managing workflows. Keeping track of your emails, task updates, or important announcements can be overwhelming—especially if you are juggling

        • Good news! Calendar in Zoho CRM gets a face lift

          Dear Customers, We are delighted to unveil the revamped calendar UI in Zoho CRM. With a complete visual overhaul aligned with CRM for Everyone, the calendar now offers a more intuitive and flexible scheduling experience. What’s new? Distinguish activities

        • Tip of the Week - Conditional Formatting Chart

          Conditional formatting allows you to highlight your data series based on a pattern or a trend in your data. This makes it easy for you to identify when your data reaches certain values or when it deviates from the trend.  Zoho Analytics allows you to

        • How to Send Email from within a custom module (with or without an email template)

          It is possible to send an email from the Deals module. However, I can't find a way to send an email from any of our custom modules. I have tried adding an email field to the modules (even though we don't really want one or need it there). That doesn't

        • How can I track which zoho users are actively using Zoho CRM

          I have several licenses of Zoho CRM. We now need to add a new user. I could purchase a new license, but before I do, I would like to see if any of our existing users are not actively using the license assigned to them. How can I determine the activity

        • Access to Detail View From HTML Snippet

          Zoho Creator displays a detail view that slides out from the right onClick of a record in a report. Am I able to access that detail view from an html snippet, e.g. click a record in a list and display the detail view? The zc_LoadIn dialog is a bit clunky,

        • Option to Customize Career Site URL Without “/jobs/Careers”

          Dear Zoho Recruit Team, I hope you are doing well. We would like to request an enhancement to the Career Site URL structure in Zoho Recruit. In the old version of the career site, our URL was simply: 👉 https://jobs.domain.com However, after moving to

        • Billing Management: #10 Solving Common Mistakes in Billing

          Over the past few weeks, we have explored different facets of billing, from the simplicity of traditional one-time billing to the evolving landscape of subscriptions, retainers, and usage-based models. We've unpacked how billing isn't just about sending

        • 【開催間近 - 10/17】東京 ユーザー交流会 Vol.3 参加登録 受付中!(参加無料)

          ユーザーの皆さま、こんにちは。コミュニティチームの藤澤です。 10/17(金)に、東京・新橋で「東京 ユーザー交流会 Vol.3」を開催します! ZOHOLICSよりも小規模なイベントですので、「リアル開催はちょっと緊張する…」という方も、安心してご参加いただけます✨ 当日は、初公開の事例を2つご紹介予定です! なお、セッション映像のアーカイブ配信は予定していないため、会場にお越しいただいた方だけが、登壇者へ直接質問したり、リアルな声を聞いたりできる貴重な機会となっています。 ーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーー

        • Loading CSS Stylesheets into HTML Snippet

          Combining html/css into a single snippet can grow quite large for a UI that has a lot of functionality/styling. To keep things tidy, are we able to pull files into an html snippet using a <link> tag? If so, what are some best practices?

        • Notes Attachments

          Two things it would be nice to have the attachment size the same as the attachments sections and it would be nice to be able to attach links like you can in the attachments section. Thank you

        • Canvas: empty images

          Hello. If I add an image field like contact photo in a Canvas design, and the field is empty, there is an ugly placeholder in its place. This doesn't happen in the standard view. In the standard view, if the contact photo is empty, nothing appears in

        • Google enhanced conversions not working

          Hi guys, I've connected Zoho CRM through Google Ads interface with the goal to setup the enhanced conversion tracking in Google Ads. I have to Zoho related conversion goals which you can see in the images below: For the conversion goal above I've setup

        • MS Teams Meeting to Zoho CRM

          Has anyone figured out a good way to push MS Teams meeting info on a trigger of "meeting end" to Zoho CRM? We're looking for a way to take attendees of a meeting and meeting duration and push it into Zoho CRM after the meeting has ended. If I can just

        • Microsoft Teams now available as an online meeting provider

          Hello everyone, We're pleased to announce that Zoho CRM now supports Microsoft Teams as an online meeting provider—alongside the other providers already available. Admins can enable Microsoft Teams directly from the Preferences tab under the Meetings

        • Font Size 11 - Zoho CRM Email Templates

          Our company communicates with our vendors exclusively using Calibri Font Size 11, as this is the standard formatting for professional emails. Since the CRM only allows for the selection of font sizes 10 & 12, we have been unable to utilize the CRM email

        • Introducing Zoho Creator's 2025 Release Projection 2

          Hello Creators! I'm Prakash, from the Creator product management team, and today I'm delighted to unveil our next set of features as part of Release Projection 2 for 2025. With thoughtful analysis and planning, we've curated powerful new capabilities

        • Calling Function via REST API with API Key gives 401 using Zoho Developer

          Hi, I created a couple of functions using the one month trial of Enterprise edition, which I was able to call using the API Key method from Postman and from an external site. Now that my trial has expired, I have created the same functions in the Developer

        • CRM x WorkDrive: File storage for new CRM signups is now powered by WorkDrive

          Availability Editions: All DCs: All Release plan: Released for new signups in all DCs. It will be enabled for existing users in a phased manner in the upcoming months. Help documentation: Documents in Zoho CRM Manage folders in Documents tab Manage files

        • Feature Request: Tag, Search, and Report on Individual Private Comments

          Zoho Desk Team, First, I want to say that we are extensive users of Zoho Desk and it is a core part of our support operations. We rely heavily on the private comments feature for internal communication, knowledge sharing, and maintaining a clear history

        • New portal SAML authentication error: User not found

          Dears, Has anyone else been experiencing this lately? I am creating a new portal authenticated by SAML (Entra ID). I followed the same process as I did with other portals, but any new portal created after this always encounters this error. I’ve been reporting

        • In arattai received message can't be deleted

          The issue has been noticed in following: arattai app (Android) arattai app (Window) arattai web While the message posted by me may be deleted, the ones received from others can't be. The item <Delete> change to <Report> when the message is a received

        • Zoho Forms - Improved Sub-Forms

          Hi Forms team, I'm helping a client move from JotForms to Zoho Forms and I've found another opportunity for improvement. In the below screenshot, JotForm left and Zoho Forms right. The Zoho Forms Sub-Form is quite a poor visually. There is no way to make

        • Zoho Forms - Print Button on Forms

          Hi Forms team, I'm replicating a form for a client which is currently based on JotForm. I noticed that at the end of the form there is a button to print the completed form. I thought this would be something worth sharing and a nice to have in Zoho Forms.

        • How do I move a section or element from one page to another in the NEW Zoho Sites UI

          I have a section on my home page with numerous elements within it and I'd like to move the entire section to a different page on my site so I don't have to recreate it from scratch.  Is there a way for me to do that easily? I could use a quick answer on this please.

        • Elevate your CX delivery using CommandCenter 2.0: Simplified builder; seamless orchestration

          Most businesses want to create memorable customer experiences—but they often find it hard to keep them smooth, especially as they grow. To achieve a state of flow across their processes, teams often stitch together a series of automations using Workflow

        • Creator Change History: Ways to improve

          Hi Everyone, Recently been working in developing this change history(an idea from Zoho Forms) - unlike forms that you can this with a click but using Creator, we can use "old" keyword. The concept I come up with is to put the result in a table however,

        • Zoho Projects app update: Global Web Tabs support

          Hello everyone! In the latest version(v3.10.10) of the Zoho Projects app update, we have brought in support for Global Web Tabs. You can now access the web tabs across all the projects from the Home module of the app. Please update the app to the latest

        • Export as MP4 or GIF

          Hi, Just wondering if there's a way to export/convert a presentation to an MP4 video file or even a GIF. One use case would be to use the animation functionality to create social media graphics/charts/gifs/videos. Thanks for a great tool... Rgds Jon

        • Next Page