Clickjacking: Zoho Vault's Response

Clickjacking: Zoho Vault's Response

Issue: Password manager browser extensions are found to be vulnerable to clickjacking security vulnerabilities that could allow attackers to steal account credentials, TFA codes, and card details under certain conditions.

Reported by: Marek Toth, Independent Security Researcher in DEF CON 33 on August 18, 2025.

How does it impact Zoho Vault?
  • The Zoho Vault browser extension will not automatically auto-fill login credentials.
  • It will auto-fill login credentials based on user interaction.
  • For example, when a user lands on xxx.google.com, the Zoho Vault browser extension will list all passwords matching google.com, and the user must manually click on the correct account to log in.
  • There has been minimal impact on login credentials for clickjacking.
Steps taken by Zoho Vault:
  • Our team identified this vulnerability via news on August 20, 2025.
  • On the same day, our team started working on the hot fix for all of the browser extensions and uploaded it to the respective browser stores on August 23, 2025.
  • It was reviewed by the respective stores and released as below:
    • Firefox: August 23, 2025
    • Edge: August 24, 2025
    • Chrome: August 25, 2025
    • Safari: August 26, 2025
  • Users will be automatically moved to the latest version of the browser extension.
  • We have been transparent with our users about the reported issue and have updated them throughout this period.
What is fixed?
  • Fake websites can no longer load Zoho Vault browser extensions' automatically.
  • Fake websites can no longer hide or alter the visibility of Zoho Vault browser extensions.
At Zoho, we care about our users' security and privacy. If you have any questions regarding this issue or need any assistance, write to support@zohovault.com.