Zero-Day Vulnerability allow attackers to steal users data Found in Password Managers( 1Password, Bitwarden, LastPass, Enpass, iCloud Passwords, and LogMeOnce remain unpatched— still vulnerable)

It's a clever attack but if I understand correctly it requires malicious script to be injected into a trusted webpage (ie. one that you normally log in to). This limits the utility of the attack, since any script injection vulnerability would already allow exfiltration of credentials that are entered manually when you log in to the site, password manager or not. The difference with this attack is that the attacker doesn't have to wait for you to log in, they just trick the password manager into autofilling the credentials straight away.

<iframe> should have been kicked into the sun a long long time ago.

TLDR: Avoid autofill. Manually copy pasting your password is the temporary workaround until the vulnerability is fixed.

In my research, I selected 11 password managers that are used as browser extensions and the result was that all were vulnerable to "DOM-based Extension Clickjacking". Tens of millions of users could be at risk (~40 million active installations).

I've never used the browser extensions. Seemed like a pretty obvious vector. Good on the author.

That's scary