Background and context
Security researchers are again drawing attention to a long-running weakness in commercial password managers: not the encryption used to store vault data, but the browser environment where that data is decrypted and used. According to Infosecurity Magazine, recent findings show that some password managers can be manipulated in ways that let attackers view or even change saved passwords, challenging how users interpret vendors’ “end-to-end encryption” claims (Infosecurity Magazine).
This distinction matters. In most password managers, vault contents are encrypted at rest and during sync, then decrypted locally after the user authenticates. That model can still be described as end-to-end encrypted or zero-knowledge in a narrow sense. But once the vault is unlocked inside a browser extension or web app, secrets must be exposed to the client in order to autofill forms, display entries, or update credentials. Researchers argue that this practical reality is often lost in marketing language.
The issue is not new. Academic and industry research has repeatedly shown that password manager security often rises or falls on browser integration, autofill logic, frame handling, and extension permissions rather than on the strength of the underlying cryptography. Prior studies from browser security researchers and universities have demonstrated attacks involving hidden fields, deceptive login forms, iframe abuse, and DOM manipulation that can trigger unintended autofill or leak credentials from the page context (USENIX Security, Google Chromium Blog).
That broader history is important because the current reporting does not point to one universal flaw or a single CVE that breaks all password managers. Instead, it reflects a class of implementation weaknesses that can affect products differently depending on browser, extension version, autofill settings, and whether the vault is already unlocked.
What the research is really saying
The headline claim that hackers can “view and change passwords” may sound like a cryptographic collapse, but the underlying problem is more subtle. In most cases, researchers are not breaking AES, defeating key derivation, or decrypting vaults on the server side. They are showing that once a password manager is active in the browser, malicious code or crafted web content may be able to influence what the extension sees and does.
Password managers typically work as follows:
1. The user stores credentials in an encrypted vault.
2. The vault syncs or is stored in encrypted form.
3. The user unlocks it locally with a master password, device secret, or biometric.
4. The browser extension or web app decrypts entries client-side and interacts with webpages to fill forms or save updates.
That fourth step is where risk concentrates. Browser extensions often need broad privileges to inspect pages, detect login forms, inject values, and monitor submissions. If a malicious site can shape the page, or if a legitimate site is compromised by injected JavaScript, those interactions may be abused.
Technical details: how viewing or changing passwords can happen
Several attack patterns have been documented across the password manager ecosystem.
Autofill abuse: A malicious page can create hidden or misleading input fields that resemble a login prompt. If the password manager relies on weak field detection or permissive origin checks, it may autofill credentials into the wrong place. Some historical attacks used invisible forms or off-screen fields to collect usernames and passwords without obvious user interaction (USENIX Security).
DOM access after fill: Once credentials are inserted into page fields, JavaScript running on that page may be able to read them, depending on how the manager injects values and what protections are in place. This is why the browser context matters so much: decrypted secrets are no longer protected solely by storage encryption once they are rendered for use.
Iframe and frame confusion: Some password managers historically struggled with deciding whether a login form inside an iframe should receive credentials. Attackers can abuse embedded frames, nested forms, or deceptive page structure to make a trusted domain appear to host a login flow when the actual context is attacker-controlled or mixed-origin.
Extension logic manipulation: Browser extensions are effectively mini-applications with privileged access. If their matching logic, save prompts, or communication with content scripts is flawed, crafted pages can trigger unintended actions. This can include prompting the user to save a modified password or replacing an existing entry with attacker-controlled data.
Credential overwrite and tampering: In the more damaging scenario, an attacker does not just steal a password but changes what the manager stores. For example, if a malicious page tricks the extension into believing a password reset or login update has occurred, the saved credential could be overwritten. The user may later rely on that poisoned entry, causing lockout or account takeover.
These scenarios do not require a total browser compromise in every case. Sometimes they depend on malicious JavaScript in a visited page, a compromised site, a hostile browser extension, or a phishing page that exploits autofill behavior. In all cases, the common theme is that the trust boundary extends beyond the vault and into the browser session itself.
Why “end-to-end encryption” can still be true and still be misleading
Vendors often describe password managers as end-to-end encrypted or zero-knowledge because the provider cannot read the vault on its servers. That claim may be technically accurate for stored data. The problem is that many users hear it as a promise that their secrets remain inaccessible except to them under all conditions.
That is not how browser-based software works. If the vault is unlocked, the client must decrypt data locally. If the client is a browser extension interacting with webpages, then the safety of decrypted data depends on web origin checks, isolation from page scripts, extension design, and user interaction requirements. Researchers are therefore challenging not the mathematics of encryption, but the way those claims are understood in practice.
This is also why security experts continue to say password managers are still preferable to password reuse. A well-designed manager with careful autofill behavior remains a major improvement over weak, repeated passwords. But convenience features can enlarge the attack surface, and users should understand that the strongest vault design still depends on the security of the endpoint where it is opened.
Impact assessment
The people most at risk are users who rely heavily on browser-based autofill and keep high-value credentials in a single vault. That includes enterprise staff, administrators, developers, journalists, executives, and anyone storing financial, email, or cloud accounts in a password manager.
The likely impact varies by attack path:
Moderate impact: isolated credential leakage from a malicious webpage or phishing page, especially if the user has autofill enabled broadly.
High impact: theft of email, banking, or workplace credentials that can be reused for account takeover, data theft, or lateral movement.
Severe impact: tampering with saved credentials, secure notes, or recovery codes, potentially locking users out while giving attackers persistence.
For organizations, the risk extends beyond one user. If an employee’s manager stores VPN, admin, cloud, or shared service accounts, a single browser-side exploit can become an entry point for broader intrusion. This is one reason many security teams are moving toward phishing-resistant authentication like FIDO2/WebAuthn and limiting how often sensitive credentials are autofilled (CISA, NIST SP 800-63B).
The severity should not be overstated into panic. There is no evidence in the source reporting that all password managers are broken or that all users are currently being exploited. But the findings are serious because they target the exact convenience features that make password managers popular.
How to protect yourself
Turn off automatic autofill for sensitive accounts. If your password manager supports requiring a click or keyboard shortcut before filling, use that option. Manual confirmation reduces the chance of silent credential leakage.
Keep your browser and extensions updated. Many of these issues are fixed through extension hardening, stricter origin checks, and improved frame handling. Updates matter as much as the vault itself.
Prefer password managers with tighter fill controls. Look for settings that restrict autofill in iframes, require user interaction, and warn before saving changed credentials.
Use phishing-resistant MFA. Security keys and passkeys based on FIDO2/WebAuthn can blunt the impact of stolen passwords. Even if a credential is exposed, the attacker may still fail to authenticate.
Watch for suspicious save prompts. If a site unexpectedly asks to update a password, pause and verify what changed. Credential overwrite attacks depend on users accepting a misleading save action.
Reduce browser extension risk. Remove unnecessary extensions, review permissions, and avoid installing tools from unknown publishers. A hostile or compromised extension can undermine the whole browser session.
Use network and device hygiene. A trusted device, patched OS, and secure browsing habits matter more than marketing claims. If you often connect on untrusted networks, a reputable VPN service can help protect traffic privacy, though it will not stop browser-side password manager flaws.
Monitor accounts for unexpected changes. If saved passwords stop working or you see unrecognized login activity, treat it as a possible compromise. Change passwords from a clean device and review stored entries for tampering.
The bottom line
The current debate is not proof that password managers are useless or that encryption has failed. It is a reminder that the real security boundary is the browser session where secrets are decrypted and used. Password managers still offer major benefits over password reuse, but their browser extensions and autofill features remain a concentrated point of risk.
For users, the practical lesson is simple: keep using a password manager, but do so with stricter fill settings, stronger MFA, and a clearer understanding of what “end-to-end encryption” does and does not protect once your vault is open.
