Click Studios, the developer of enterprise-focused password management solution Passwordstate, said it has released security updates to address an authentication bypass vulnerability in its software.
The issue, which is yet to be assigned a CVE identifier, has been addressed in Passwordstate 9.9 (Build 9972), released August 28, 2025.
The Australian company said it fixed a “potential Authentication Bypass when using a carefully crafted URL against the core Passwordstate Products’ Emergency Access page.”
Also included in the latest version are improved protections to safeguard against potential clickjacking attacks aimed at its browser extension, should users end up visiting compromised sites.
The safeguards are likely in response to findings from security researcher Marek Tóth, who, earlier this month, detailed a technique called Document Object Model (DOM)-based extension clickjacking that several password manager browser add-ons have been found vulnerable to.
“A single click anywhere on an attacker-controlled website could allow attackers to steal users’ data (credit card details, personal data, login credentials, including TOTP),” Tóth said. “The new technique is general and can be applied to other types of extensions.”
According to Click Studios, the credential manager is used by 29,000 customers and 370,000 security and IT professionals, spanning global enterprises, government agencies, financial institutions, and Fortune 500 companies.
The disclosure comes over four years after the company suffered a supply chain breach that enabled attackers to hijack the software’s update mechanism in order to drop malware capable of harvesting sensitive information from compromised systems.
Then in December 2022, Click Studios also resolved multiple security flaws in Passwordstate, including an authentication bypass for Passwordstate’s API (CVE-2022-3875, CVSS score: 9.1) that could have been exploited by an unauthenticated remote adversary to obtain a user’s plaintext passwords.
