Claudio Anliker, Daniele Lain, and Srdjan Capkun, ETH Zurich
We study a phishing attack against password manager browser extensions. Browser extension UIs are mostly displayed on top of the web browser's viewport and, thus, hard to distinguish from website content. This enables an attacker to phish master passwords by imitating a locked password manager on a website they control.
We implemented this attack for four password managers and demonstrated its effectiveness in a large-scale phishing simulation with 29,800 participants, among whom we detected over 400 instances of selected third-party password managers. Notably, more than 30% of these users entered their master password, with up to 58% for one specific password manager. We compare the effectiveness of the attack across different password manager UIs, analyze user behavior through mouse tracking and a post-study survey, and discuss the implications of our findings for password managers as a means of phishing protection.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Claudio Anliker and Daniele Lain and Srdjan Capkun},
title = {Phishing Attacks against Password Manager Browser Extensions},
booktitle = {34th USENIX Security Symposium (USENIX Security 25)},
year = {2025},
isbn = {978-1-939133-52-6},
address = {Seattle, WA},
pages = {7857--7876},
url = {https://www.usenix.org/conference/usenixsecurity25/presentation/anliker},
publisher = {USENIX Association},
month = aug
}
