In August 2025, an independent security report revealed that several major password managers were vulnerable to clickjacking, a type of web attack that can silently trick users into revealing their login credentials.
MEGA Pass wasn’t mentioned in the report, but that didn’t stop us from taking a closer look. Password managers protect some of the most sensitive information you have. That’s why we treat even potential vulnerabilities as something that needs immediate attention.
As soon as the findings were made public, our developers launched a full review of MEGA Pass. During that investigation, we discovered a similar vulnerability in our own system. We’ve since resolved the issue.
So what is clickjacking, why does it matter, and what have we done to protect MEGA Pass users?
What is clickjacking and why it matters
Clickjacking is a deceptive technique that tricks you into clicking something different from what you see.
Imagine trying to press a “play” button on a video, but there’s an invisible “confirm payment” button layered underneath. You don’t see it, but your browser does, so when you click it you’re unintentionally triggering the hidden action.
In the context of password managers, this is especially dangerous. If an attacker can manipulate your browser into auto-filling credentials into an invisible form, they could steal your login information without you ever noticing.
What we found during our investigation
Shortly after the report was published, we ran a full internal audit of MEGA Pass.
Under specific conditions, our development team found it was possible for attackers to embed MEGA Pass login forms inside hidden elements. If a user landed on a malicious website, that site could create a transparent overlay to hijack clicks.
Although we had no reports of real-world attacks, we take any potential threat seriously. Exploitation would have required a user to visit a malicious website and interact with a deliberately disguised interface.
As soon as the issue was confirmed, we began building a fix.
How we fixed it
We introduced several layers of protection to prevent clickjacking attacks in MEGA Pass:
- Pointer validation before action: Before filling a password or unlocking your vault, MEGA Pass checks for invisible overlays at the exact click location.
- Visibility enforcement: MEGA Pass refuses to interact with hidden or nearly invisible fields, including those using opacity or display tricks.
- Strict autofill rules: Autofill only works on fields that are clearly visible and reachable.
- Iframe protection: When embedded in another page, MEGA Pass verifies that nothing is hidden above it.
Together, these protections ensure that MEGA Pass only fills passwords when you’re interacting with visible, legitimate login fields. If anything is hidden, overlaid, or suspicious, the action is blocked automatically.
All checks happen locally and don’t require access to your browsing history or personal data.
What MEGA Pass users need to know
There’s nothing you need to do. The vulnerability has been resolved, and your passwords remain secure.
MEGA Pass uses a zero-knowledge, user-controlled encryption model. This means your data is encrypted on your device, and only you hold the keys. Not even MEGA can see your credentials.
We’ll continue to test, monitor, and improve MEGA Pass to make sure it stays secure.
If you’re not using MEGA Pass yet, see how it keeps your passwords secure.