Skip to main content
Best answer by 1P_SimonH

[Note that I'm marking this as a Solution just to make it more visible]

Hi all,

Thanks for all the questions and the thoughtful discussion. We wanted to provide a bit more context about the research and what it means for 1Password users.

A researcher identified a variation of a clickjacking attack, where a malicious website can trick someone into unknowingly triggering the autofill action in a browser extension. They reported the issue through our bug bounty program and worked with us ahead of their DEF CON presentation.

Clickjacking is not unique to the 1Password browser extension. It is a long-standing web attack technique that affects websites and browser extensions broadly. The underlying issue lies in the way browsers render webpages. After conducting a thorough review, including prototyping potential mitigations, we concluded there’s no comprehensive technical fix that browser extensions can deliver on their own.

Your information in 1Password remains encrypted and protected. Clickjacking does not expose your 1Password data or export your vault contents, and no website can directly access your information without interaction with the browser extension’s autofill element. At most, a malicious or compromised webpage could trick you into autofilling one matching item per click, not everything in your account.

We take this and all security concerns seriously, and our approach to this particular risk is to focus on giving customers more control. 1Password already requires confirmation before autofilling payment information, and in our next release, which is already shipped and undergoing review from the browser extension stores, we’re extending that protection so users can choose to enable confirmation alerts for other types of data. This helps users stay informed when autofill is happening and in control of their data.

On the question of disabling autofill: while it might feel safer, it can actually create more risk. Without autofill, people are more likely to reuse weak passwords or copy and paste credentials into websites, where they can still be stolen if the site is malicious. Autofill also protects you against phishing sites by only working on the exact domains your credentials are saved for. In practice, for the majority of users, we believe the risk of disabling autofill is greater than the risk of clickjacking.

Passkeys are not impacted by clickjacking. Passkeys are tied to the website they’re created on and generate a one-time signature during login. That means no reusable secret is ever exposed, and even if someone tried clickjacking, there’s nothing permanent to steal.

You can learn more in our security advisory.

13 replies

August 29, 2025

Hello!

I was recently made aware of a clickjacking exploit that many password manager browser extensions are vulnerable to, including 1Password. This was presented at this year's Defcon on August 9th, with responsible disclosure made known to 1Password back in April. 

https://marektoth.com/blog/dom-based-extension-clickjacking/#key-information

A good example of how this attack works is shown here, with the attack website overlaid with the browser extension elements at half-opacity.  https://share.cleanshot.com/9S0XzK4W

The extension elements would be invisible in a real attack. 

I'm an owner on my company's 1Password for Business plan, and wanted to know what administrative steps I can take with 1Password to secure against this attack, and if 1Password has any public response to this exploit. 

There are several steps users can take to mitigate the attack both in the extension settings, and the way their browser handles the extension. However, I am not finding a way to administratively change extension settings for my users with 1Password, and would need them to take these steps manually. I can possibly use managed browser settings to only allow extensions site access on click. 

The two steps I have taken are to force the auto lock time to 10 minutes, and to require app updates. However this exploit is present in recent versions (<=8.11.7.2).
https://marektoth.com/blog/dom-based-extension-clickjacking/#fixed-versions
I will also be integrating with a SEIM tool. Is there anything else I could be doing to protect my company?

1P_Blake
Community Manager
September 3, 2025

The steps you’ve already taken are spot on. Enforcing shorter auto-lock times and requiring app updates are exactly the kind of things that help reduce exposure today. On your broader question, we’ve published both a security advisory and a blog post that go deeper into the research and our response.

While users can already turn on confirmation prompts for all item types in their extension settings, we know that’s tough to manage across a whole company. That’s why we’re rolling out a new Business policy that will let admins set those defaults for their team. Timelines will be shared soon, but it’s actively in the works.

September 3, 2025

This is absolutely unacceptable, we have banned 1Password extension globally because 1Password refused to properly address the clickjacking issue, and now we are looking into switching to a new password management product that chose to fix this issue.

1P_Blake
Community Manager
September 3, 2025

This isn't something we've refused to fix — it's something no extension can completely fix on its own. There are partial mitigation approaches out there, but in our research and testing, they can break expected behavior without fully eliminating the risk.

That’s why we’ve focused on safeguards that matter in practice. The 1Password extension already enforces strict domain matching so logins only fill where they belong, and it blocks scripts from tampering with the extension interface. Credit cards have always required a confirmation prompt before filling, and in our latest release we’ve added the option to turn that same protection on for other item types too.

Our goal is to reduce the risk in a way that’s both effective and reliable in everyday use. If you’d like the deep dive, we’ve put together a security advisory and a blog post that walks through the research and the steps we’ve taken.

September 11, 2025

While I think it is not so easy to exploit this, it's still possible (subdomain hijacking, XSS, ...)

I really want to see some efforts from a password manager to prevent this, other than making another prompt for filling in personal data. I'm aware of the security advisory (https://support.1password.com/kb/202508/) but I'm not convinced that this should "fix" the problem as a whole.

Please implement additional mitigations to make it even harder for attackers as mentioned by Marek Tóth:
https://marektoth.com/blog/dom-based-extension-clickjacking/#mitigation

Thanks