Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Solved
Browser Extension Risk Clickjacking
According to this report, I wondered what the position of 1Password is on this issue and when it will be fixed.
https://www.bleepingcomputer.com/news/security/major-password-managers-can-leak-login...
[Note that I'm marking this as a Solution just to make it more visible]
Hi all,Thanks for all the questions and the thoughtful discussion. We wanted to provide a bit more context about the research and what it means for 1Password users.
A researcher identified a variation of a clickjacking attack, where a malicious website can trick someone into unknowingly triggering the autofill action in a browser extension. They reported the issue through our bug bounty program and worked with us ahead of their DEF CON presentation.
Clickjacking is not unique to the 1Password browser extension. It is a long-standing web attack technique that affects websites and browser extensions broadly. The underlying issue lies in the way browsers render webpages. After conducting a thorough review, including prototyping potential mitigations, we concluded there’s no comprehensive technical fix that browser extensions can deliver on their own.
Your information in 1Password remains encrypted and protected. Clickjacking does not expose your 1Password data or export your vault contents, and no website can directly access your information without interaction with the browser extension’s autofill element. At most, a malicious or compromised webpage could trick you into autofilling one matching item per click, not everything in your account.
We take this and all security concerns seriously, and our approach to this particular risk is to focus on giving customers more control. 1Password already requires confirmation before autofilling payment information, and in our next release, which is already shipped and undergoing review from the browser extension stores, we’re extending that protection so users can choose to enable confirmation alerts for other types of data. This helps users stay informed when autofill is happening and in control of their data.
On the question of disabling autofill: while it might feel safer, it can actually create more risk. Without autofill, people are more likely to reuse weak passwords or copy and paste credentials into websites, where they can still be stolen if the site is malicious. Autofill also protects you against phishing sites by only working on the exact domains your credentials are saved for. In practice, for the majority of users, we believe the risk of disabling autofill is greater than the risk of clickjacking.
Passkeys are not impacted by clickjacking. Passkeys are tied to the website they’re created on and generate a one-time signature during login. That means no reusable secret is ever exposed, and even if someone tried clickjacking, there’s nothing permanent to steal.
You can learn more in our security advisory.
Thank you, 1P_SimonH , for the explanation.
But, as shown in the next video, there is no data, I actively fill in on a website. I just solve a puzzle and in the background all my items in my 1Password vault are shared with the hacker.
https://marektoth.com/video/dom-extension-clickjacking-demo2.mp4
The video shows what could happen, and this should be fixed immediately.
Don't get me wrong, it's also good to have the possibility to enable a confirmation, before autofill.
The video you linked is an example of an older iFrame-based vulnerability and, more importantly, does not apply to 1Password. You can see the same video you referenced in the researcher's paper at:
https://marektoth.com/blog/dom-based-extension-clickjacking/#iframe-based
There, the researcher says:
In this research focused on password managers, one of them had this issue.
In December 2023, I reported this clickjacking vulnerability in the NordPass password manager.
Above that quote, the researcher also stated that he was explaining the iFrame-based vulnerability only as background. It was not the subject of the current research:
I will first describe the IFRAME-based variant, which was not the research focus but may be unknown to many people.
Concerning how 1Password is vulnerable to clickjacking, 1P_SimonH said:
At most, a malicious or compromised webpage could trick you into autofilling one matching item per click, not everything in your account.
The researcher's conclusion agrees with that:
1 click = attacker gets your credentials incl. TOTP (only for vulnerable domain)
Thanks for mentioning that! It wasn't clear to me. Now it is. Thanks. 🙏
