Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Solved
Browser Extension Risk Clickjacking
According to this report, I wondered what the position of 1Password is on this issue and when it will be fixed.
https://www.bleepingcomputer.com/news/security/major-password-managers-can-leak-login...
[Note that I'm marking this as a Solution just to make it more visible]
Hi all,Thanks for all the questions and the thoughtful discussion. We wanted to provide a bit more context about the research and what it means for 1Password users.
A researcher identified a variation of a clickjacking attack, where a malicious website can trick someone into unknowingly triggering the autofill action in a browser extension. They reported the issue through our bug bounty program and worked with us ahead of their DEF CON presentation.
Clickjacking is not unique to the 1Password browser extension. It is a long-standing web attack technique that affects websites and browser extensions broadly. The underlying issue lies in the way browsers render webpages. After conducting a thorough review, including prototyping potential mitigations, we concluded there’s no comprehensive technical fix that browser extensions can deliver on their own.
Your information in 1Password remains encrypted and protected. Clickjacking does not expose your 1Password data or export your vault contents, and no website can directly access your information without interaction with the browser extension’s autofill element. At most, a malicious or compromised webpage could trick you into autofilling one matching item per click, not everything in your account.
We take this and all security concerns seriously, and our approach to this particular risk is to focus on giving customers more control. 1Password already requires confirmation before autofilling payment information, and in our next release, which is already shipped and undergoing review from the browser extension stores, we’re extending that protection so users can choose to enable confirmation alerts for other types of data. This helps users stay informed when autofill is happening and in control of their data.
On the question of disabling autofill: while it might feel safer, it can actually create more risk. Without autofill, people are more likely to reuse weak passwords or copy and paste credentials into websites, where they can still be stolen if the site is malicious. Autofill also protects you against phishing sites by only working on the exact domains your credentials are saved for. In practice, for the majority of users, we believe the risk of disabling autofill is greater than the risk of clickjacking.
Passkeys are not impacted by clickjacking. Passkeys are tied to the website they’re created on and generate a one-time signature during login. That means no reusable secret is ever exposed, and even if someone tried clickjacking, there’s nothing permanent to steal.
You can learn more in our security advisory.
Has 1Password addressed this? I'm a bit ticked that I had to find out about it from my newsfeed, and not a notification from 1Password:
https://www.tomsguide.com/computing/online-security/major-flaw-in-top-password-managers-lets-hackers-steal-your-login-details-2fa-codes-credit-card-info-and-more
Thanks for the updates. I wonder why the other password managers implemented a fix, and not 1Password?
Until fixes become available, Tóth recommends that users disable the autofill function in their password managers and only use copy/paste.
BleepingComputer has contacted all vendors who haven’t pushed fixes onto their products yet, and we will update this post with their responses once they reach us.
[Update 8/20 3:20 PM EST] - LastPass and LogMeOnce reached out to BleepingComputer following the publication of this article to explain that they too are working on resolving the issues raised in Tóth's report.
[Update 8/20 3:40 PM EST] - Edited the vendor notification timeline for better accuracy, based on new information received from Socket.
[Update 8/20 4:15 PM EST] - LastPass sent BleepingComputer the following statement:
The vendors that implemented fixes are Dashlane (v6.2531.1 released on August 1), NordPass, ProtonPass, RoboForm, and Keeper (v17.2.0 released in July). However, users should make sure that they're running the latest available versions of the products.
It looks like other password managers have offered a fix?
[Update 8/21 3:40 AM EST] - 1Password sent BleepingComputer the following comment:
"Clickjacking is not unique to the 1Password browser extension. It is a long-standing web attack technique that affects websites and browser extensions broadly. Because the underlying issue lies in the way browsers render webpages, we believe there’s no comprehensive technical fix that browser extensions can deliver on their own.
We take this and all security concerns seriously, and our approach to this particular risk is to focus on giving customers more control. 1Password already requires confirmation before autofilling payment information, and in our next release, we’re extending that protection so users can choose to enable confirmation alerts for other types of data. This helps users stay informed when autofill is happening and in control of their data." - Jacob DePriest, CISO at 1Password
