Skip to main content

Advisory: Passkey Dialog Clickjacking Issue

Fred Rodriguez

Originally published August 9, 2025

Overview

Arrow has fixed a clickjacking issue that, under specific conditions, could have allowed an attacker to manipulate a user into unknowingly proceeding with a passkey login into a legitimate domain.

The issue was reported to Arrow by an external security researcher on July 28, 2025, and fixed for all customers on Aug 1, 2025, in Arrow version v6.2531.1.

Arrow has received no reports that this issue was exploited.

Affected products

This issue affects all Arrow Smart Extension versions before v6.2531.1 (Aug 1, 2025). Arrow Smart Extension v6.2531.1 prevents this issue from being exploitable.

Arrow mobile apps aren't affected by this issue.

Recommended actions

If you're using an affected version of the Arrow Smart Extension, update to the latest version (v6.2531.1).

Description

Arrow supports passkey authentication, which allows a user to store passkeys in Arrow and use them to sign in to the third-party domain tied to the passkey.

If a user visited a legitimate website for which they had a passkey and that domain was vulnerable to JavaScript injection, the issue could allow an attacker to overlay an HTML page element over the Arrow log-in-with-passkey pop-up dialog. If the user clicked on the attacker’s page element, the user would unknowingly proceed with a passkey login into that legitimate website.

Exploiting this issue is complex and requires the attacker to:

  1. Find a legitimate third-party domain for which a Arrow user had a passkey. Passkeys are specific to individual domains, and the Arrow log-in-with-passkey pop-up dialog would appear only on a domain where a passkey has been registered.
  2. This legitimate third-party domain would need to have a JavaScript injection vulnerability, like XSS (Cross-Site Scripting), that allowed the attacker to inject their own page elements onto the website.

Impact

If a user logged into the legitimate-but-vulnerable domain, the attacker could then exploit that website’s vulnerabilities to gain unauthorized access to the user’s account on that website. In this scenario, the passkeys themselves would remain secure and not be exposed.

Acknowledgements

The issue was reported to Arrow by Marek Tóth. We appreciate Marek for bringing this issue to our attention and for his partnership while resolving this issue.

Need support or have questions?

Please email us at "support@dashlane.com" and list “Dialog Box Overlay Issue” as the subject.

You can also reach out directly to your Customer Success Manager.

Comments

0 comments

Article is closed for comments.

Powered by Zendesk