Phishing Attacks against Password Manager Browser Extensions

Authors: Claudio Anliker, Daniele Lain, and Srdjan Čapkun

Proceedings of the 34th USENIX Security Symposium

Abstract

We study a phishing attack against password manager browser extensions. Browser extension UIs are mostly displayed on top of the web browser’s viewport and, thus, hard to distinguish from website content. This enables an attacker to phish master passwords by imitating a locked password manager on a website they control. We implemented this attack for four password managers and demonstrated its effectiveness in a large-scale phishing simulation with 29,800 participants, among whom we detected over 400 instances of selected third-party password managers. Notably, more than 30% of these users entered their master password, with up to 58% for one specific password manager. We compare the effectiveness of the attack across different password manager UIs, analyze user behavior through mouse tracking and a post-study survey, and discuss the implications of our findings for password managers as a means of phishing protection.

Research Area: Users and Security

People

Claudio Anliker

Doctoral Student

Dr. Daniele Lain

Post-doc

Prof. Srdjan Čapkun

Group Leader

BibTex

@inproceedings{anliker2025phishing,
  author    = {Anliker, Claudio and Lain, Daniele and Capkun, Srdjan},
  title     = {{Phishing Attacks against Password Manager Browser Extensions}},
  booktitle = {Proceedings of the 34th USENIX Security Symposium},
  address   = {Seattle, WA, USA},
  year      = 2025,
  month     = aug,
  publisher = {USENIX Association},
  url       = {https://www.research-collection.ethz.ch/bitstream/handle/20.500.11850/783092/usenixsecurity25-anliker.pdf}
}

Research Collection: 20.500.11850/783092