Home Admin Help Center

Security advisory: Passkey Dialog Clickjacking Issue

For all plans

Security advisory: Passkey Dialog Clickjacking Issue

Printer icon
Published August 9, 2025

Overview

Dashlane has fixed a clickjacking issue that, under specific conditions, could have allowed an attacker to manipulate a user into unknowingly proceeding with a passkey login into a legitimate domain.

The issue was reported to Dashlane by an external security researcher on July 28, 2025, and fixed for all customers on Aug 1, 2025, in Dashlane version v6.2531.1.

Dashlane has received no reports that this issue was exploited.

Affected products

This issue affects all Dashlane browser extension versions before v6.2531.1 (Aug 1, 2025). Dashlane browser extension v6.2531.1 prevents this issue from being exploitable.

Dashlane mobile apps aren't affected by this issue.

Recommended actions

If you're using an affected version of the Dashlane browser extension, update to the latest version.

Description

Dashlane supports passkey authentication, which allows a user to store passkeys in Dashlane and use them to sign in to the third-party domain tied to the passkey.

If a user visited a legitimate website for which they had a passkey and that domain was vulnerable to JavaScript injection, the issue could allow an attacker to overlay an HTML page element over the Dashlane log-in-with-passkey pop-up dialog. If the user clicked on the attacker’s page element, the user would unknowingly proceed with a passkey login into that legitimate website.

Exploiting this issue is complex and requires the attacker to:

  1. Find a legitimate third-party domain for which a Dashlane user had a passkey. Passkeys are specific to individual domains, and the Dashlane log-in-with-passkey pop-up dialog would appear only on a domain where a passkey has been registered.
  2. This legitimate third-party domain would need to have a JavaScript injection vulnerability, like XSS (Cross-Site Scripting), that allowed the attacker to inject their own page elements onto the website.

Impact

If a user logged into the legitimate-but-vulnerable domain, the attacker could then exploit that website’s vulnerabilities to gain unauthorized access to the user’s account on that website. In this scenario, the passkeys themselves would remain secure and not be exposed.

Acknowledgements

The issue was reported to Dashlane by Marek Tóth. We appreciate Marek for bringing this issue to our attention and for his partnership while resolving this issue.

Powered by Zendesk