Clickjacking: Zoho Vault's Response

Clickjacking: Zoho Vault's Response

Issue: Password manager browser extensions are found to be vulnerable to clickjacking security vulnerabilities that could allow attackers to steal account credentials, TFA codes, and card details under certain conditions.

Reported by: Marek Toth, Independent Security Researcher in DEF CON 33 on August 18, 2025.

How does it impact Zoho Vault?
  • The Zoho Vault browser extension will not automatically auto-fill login credentials.
  • It will auto-fill login credentials based on user interaction.
  • For example, when a user lands on xxx.google.com, the Zoho Vault browser extension will list all passwords matching google.com, and the user must manually click on the correct account to log in.
  • There has been minimal impact on login credentials for clickjacking.
Steps taken by Zoho Vault:
  • Our team identified this vulnerability via news on August 20, 2025.
  • On the same day, our team started working on the hot fix for all of the browser extensions and uploaded it to the respective browser stores on August 23, 2025.
  • It was reviewed by the respective stores and released as below:
    • Firefox: August 23, 2025
    • Edge: August 24, 2025
    • Chrome: August 25, 2025
    • Safari: August 26, 2025
  • Users will be automatically moved to the latest version of the browser extension.
  • We have been transparent with our users about the reported issue and have updated them throughout this period.
What is fixed?
  • Fake websites can no longer load Zoho Vault browser extensions' automatically.
  • Fake websites can no longer hide or alter the visibility of Zoho Vault browser extensions.
At Zoho, we care about our users' security and privacy. If you have any questions regarding this issue or need any assistance, write to support@zohovault.com.
    • Sticky Posts

    • Introducing SecureForms in Zoho Vault

      Hey everyone, Let’s face it—asking someone to send over a password or other sensitive data is rarely straightforward. You wait. You nudge. You follow up once, twice—maybe more. And when the information finally arrives, it shows up in the worst possible
    • Join our World Password and Passkey Day expert Q&A 2025

      Hey everyone! World Password and Passkey Day is almost here, and there's no better time to talk about something we all rely on daily—secure authentication. Did you know that a staggering 60% of hacking-related breaches are tied to weak or stolen passwords?
    • Zoho Vault: A look at what's new for iOS, iPadOS, and macOS

      Hi everyone, At Zoho Vault, we constantly aim to improve your security experience. Based on both internal and external feedback, we have recently rolled out updates across our iOS, iPadOS, and support for macOS platforms. Introducing the desktop app for
    • iOS 12 update: Introducing autofill passwords and Siri Shortcuts in Zoho Vault

      With this iOS 12 release, Zoho Vault users can now autofill usernames and passwords on Safari and other third-party apps. Users can enjoy a seamless login experience to their everyday apps without compromising security and also access passwords stored in Zoho vault with Siri Shortcuts by adding personalized phrases. How to enable autofill password on your iOS device? First, you need to update your device to iOS 12.  Apple recommends you to take a backup before you update your device to the latest