August demonstrated how fragile our digital trust layers remain, for both human and machine. A critical clickjacking flaw in major password manager extensions exposed millions to credential theft, while AI assistants like Comet revealed how easily automation can be hijacked through hidden instructions. At the same time, real-world consequences hit hard: Norway confirmed a dam hack linked to Moscow, Salesforce customers reeled from a supply-chain breach affecting 700+ organisations, and SonicWall firewalls have been targeted by a year-old vulnerability.
Techniques
Clickjacking Flaw in Popular Password Manager Extensions
Security Researcher Marek Tóth has discovered that multiple major password managers are vulnerable to a clickjacking attack that can steal logins, MFA codes, credit-card details, and other sensitive data. The flaw affects major Password Managers, and their browser extension autofill prompts. Attackers can overlay invisible elements over a webpage so that when a user clicks something seemingly harmless, such as a cookie consent banner the password manager unknowingly autofills hidden fields, and sends these to the attacker, leaking the credentials.
The issue was disclosed at DEF CON 33 in August 2025 and impacts at least 11 widely used extensions, including 1Password, Bitwarden, LastPass, Enpass, iCloud Passwords, and LogMeOnce, which account for tens of millions of users worldwide. While some managers such as Dashlane, NordPass, ProtonPass, RoboForm, and Keeper have released patches, several others remain exposed, while others, such as LastPass have introduced UI based mitigations – a prompt that pops up when auto filling sensitive information. Researchers emphasise that fixing the vulnerability is difficult because it stems from how browsers render extension overlays rather than a single coding flaw.
To reduce risk, is it recommend to disable automatic autofill, update to the latest versions of password manager extensions, restrict browser extension permissions to specific trusted sites, and to avoid browsing to unknown or dodgy websites. Despite the flaw, password managers remain safer than reusing weak or repeated passwords and it is still recommended best practice to use one.
AI Assistants and the Issue with Agency
Perplexity, a US-based AI startup best known for its AI powered search assistant recently expanded into browsers with Comet, a paid AI-powered browser that aims to make the web easier to use by summarising pages, handling online shopping, and automating routine tasks.
Security audits have revealed that Comet suffers from indirect prompt injection vulnerabilities, where hidden instructions embedded in a webpage are treated as user commands. Tests showed Comet exfiltrating one-time passwords from email accounts and even auto-completing purchases on fake shopping sites, including filling in billing and payment details without the user’s knowledge. Despite Perplexity issuing patches, experts warn the fixes are incomplete and that Comet remains too trusting of unverified instructions.
AI email assistants face the same issue – AI cannot reliably separate user intent from hostile content and attackers can hijack automation features. This highlights a systemic problem in AI design where AI doesn’t interact with the web using context in the same way as humans and can be easily tricked into treating all content as instructions. The shift toward AI assistants with real agency doesn’t just automate human tasks, it expands the attack surface. Instead of only dealing with human failings like phishing clicks or weak passwords defenders now also have to contend with AI-specific flaws.
Happenings
[Norway] Norwegian Police Security Service Formally Attributes Dam Hack to Moscow
The Norwegian Police Security Service (PST) has attributed pro-Russian hackers to a cyberattack on a dam near Svelgen, western Norway. The intruders gained remote access to the facility’s systems and remotely opened a floodgate, releasing water at a rate of 500 litres per second for four hours and by the time operators regained control, an estimated seven million litres had been drained. The dam, primarily used for fish farming rather than hydropower, did not suffer structural damage, and no injuries were reported thanks in part to low water levels.
The attack was performed through a web-accessible interface, using an administrator account with an easily guessable password, and no other required factors of authentication. The attackers were able to use their access to this web interface to open valves in the dam to their full capacity. This event marks the first time Norway has officially attributed a cyberattack on national infrastructure to Russia, describing it as part of a broader campaign of hybrid warfare intended to create fear and demonstrate capability, while the Russian embassy dismissed the accusations as politically motivated.
This attack shows the importance of robust cybersecurity practises – the lack of MFA, secure remote access, and monitoring all contributed to the success of this attack. It also demonstrates again the potential real-world physical impacts that cyber-attacks can have. Due to the relatively low importance of this dam, it may be speculated that security was not a priority.
[Global] Salesforce Supply Chain Attack – Over 700 Organisations Impacted
Salesforce suffered a significant supply-chain attack involving Salesloft Drift, an AI -based customer engagement tool tightly integrated with Salesforce. Drift requires broad access permissions to Salesforce in order to perform these functions, and the tokens it uses to connect were stolen by threat actors, effectively acting as digital keys to customer Salesforce accounts. Once access was gained the attackers exfiltrated data quietly and attempted to cover their tracks by deleting records of their activity.
While the initial vector into Salesloft Drift is still under investigation, the impact has been wide-ranging. It is estimated that more than 700 organisations worldwide were exposed, spanning industries from technology and finance to retail and aviation. High-profile companies such as Palo Alto Networks, Zscaler, Cloudflare, Proofpoint, Airbus, and LVMH subsidiaries confirmed that data had been accessed. The stolen information varied but included customer contact details, and support tickets – in some cases these organisations used Salesforce for product support case management, meaning that support tickets contained sensitive credentials and organisational information that could be used in direct attacks.
Organisations should be wary when providing sensitive information to even trusted support vendors, and when required, information should be limited to only what is absolutely required for support and credentials should be rotated afterwards. Organisations who believe they are affected should receive notification from their vendor / technology partners, but it is prudent to rotate any credentials that have been provided in support tickets to any of the affected organisations.
[Global] SonicWall Firewalls Breached – One Year Old Patched Vulnerability
A recent wave of ransomware attacks exploited a serious vulnerability in SonicWall Gen 7 SSL VPN (Virtual Private Network) functionality. The flaw, tracked as CVE-2024-40766, had been disclosed and patched, but many organisations had not yet applied the patch. The flaw was rated as 9.8 (critical) and allowed remote unauthenticated attackers to bypass authentication entirely (including MFA) and gain administrator-level access to the firewall – an extremely serious and dangerous flaw. Although a patch was released in August 2024, a scan in December of the same year indicated that around 49,000 unpatched devices were still exposed to the internet.
The group behind the attacks, Akira, systematically exploited this flaw throughout 2025, with Sonicwall confirming in August that they had seen a marked increase in attacks targeting the Gen 7 firewalls with SSL VPN enabled, corroborating observations from Cybersecurity researchers tracking the group. Akiria typically use ransomware and data theft, with their double extortion monetisation model, attempting to charge organisations to unlock their data, and then blackmailing them to not release or sell the stolen data.
It should go without saying, but these attacks highlight the importance of patching for critical systems, especially network edge appliances, and likely point towards these organisations not having any knowledge that they were at risk. Organisations should look to understand what their critical devices and appliances are, and ensure these are kept up to date. To mitigate against vulnerabilities in critical devices, organisations should be receiving vulnerability notifications related to these devices and be regularly vulnerability scanning their assets.
[China] Microsoft Tightens Exploit Code Access After China-Linked Attacks
Microsoft’s SharePoint platform was hit by a wave of zero-day attacks, known as ToolShell, carried out by suspected China-linked threat actors. Hundreds of on-premises servers were compromised, with attackers stealing cryptographic keys, by installing malicious scripts onto compromised SharePoint servers to maintain persistent access – even after the initial vulnerability was patched. What was particularly alarming was how quickly the exploits surfaced – only hours after Microsoft’s private security alerts went out, fuelling speculation that early access information from Microsoft’s Active Protections Program (MAPP) had been leaked.
MAPP was designed to help trusted security vendors prepare defences by sharing proof-of-concept exploit code ahead of public patch releases. Microsoft has now updated how they deliver these alerts – companies in jurisdictions with mandatory vulnerability disclosure to governments, such as China, will no longer receive proof-of-concept (PoC) code. Instead, they will only receive general descriptions, reducing the chance of information being disclosed and misused prior to patches being available.
There is a broader risk in the cybersecurity world, where sharing sensitive cyber intelligence with nation states that actively sponsor or enable hacking groups can risk arming adversaries with the very tools they use to attack. Vendors are having to find and strike a balance between protecting customers in all regions of the globe, while also maintaining their duty to protect those who may become targets if information related to attack vectors is shared for defensive purposes.