(Let me know if you prefer I not discuss password managers on this list.)
A couple of weeks ago I mentioned that I was concerned about a clickjacking attack against my password manager, but Jas assured me it wasn't a problem. I've been thinking about it, and I now think it is a problem, and not just for my password manager.
Say that you install a malicious extension with a content script that creates an invisible password field. There is a known vulnerability when your password manager automatically fills in all password fields on the page, including the one controlled by the malicious extension. Bitwarden is a popular tool that is vulnerable to this attack. Dashlane, on the other hand, requires you to use the clipboard if there are multiple password fields.
Say, instead, that you avoid this problem by requiring a click in the password field. You are vulnerable if the attacker can induce you to click on the invisible password field. A solution to this problem is to set up the click handler only for visible password fields. Another is to require pasting the password if the tool finds more than one password field. Psono, an open source password manager, avoids this problem by requiring a second click in a popup menu.
Is my concern real? If so, is my mitigation sufficient?