It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Forum Discussion
Solved
Browser Extension Risk Clickjacking
According to this report, I wondered what the position of 1Password is on this issue and when it will be fixed.
https://www.bleepingcomputer.com/news/security/major-password-managers-can-leak-login...
[Note that I'm marking this as a Solution just to make it more visible]
Hi all,Thanks for all the questions and the thoughtful discussion. We wanted to provide a bit more context about the research and what it means for 1Password users.
A researcher identified a variation of a clickjacking attack, where a malicious website can trick someone into unknowingly triggering the autofill action in a browser extension. They reported the issue through our bug bounty program and worked with us ahead of their DEF CON presentation.
Clickjacking is not unique to the 1Password browser extension. It is a long-standing web attack technique that affects websites and browser extensions broadly. The underlying issue lies in the way browsers render webpages. After conducting a thorough review, including prototyping potential mitigations, we concluded there’s no comprehensive technical fix that browser extensions can deliver on their own.
Your information in 1Password remains encrypted and protected. Clickjacking does not expose your 1Password data or export your vault contents, and no website can directly access your information without interaction with the browser extension’s autofill element. At most, a malicious or compromised webpage could trick you into autofilling one matching item per click, not everything in your account.
We take this and all security concerns seriously, and our approach to this particular risk is to focus on giving customers more control. 1Password already requires confirmation before autofilling payment information, and in our next release, which is already shipped and undergoing review from the browser extension stores, we’re extending that protection so users can choose to enable confirmation alerts for other types of data. This helps users stay informed when autofill is happening and in control of their data.
On the question of disabling autofill: while it might feel safer, it can actually create more risk. Without autofill, people are more likely to reuse weak passwords or copy and paste credentials into websites, where they can still be stolen if the site is malicious. Autofill also protects you against phishing sites by only working on the exact domains your credentials are saved for. In practice, for the majority of users, we believe the risk of disabling autofill is greater than the risk of clickjacking.
Passkeys are not impacted by clickjacking. Passkeys are tied to the website they’re created on and generate a one-time signature during login. That means no reusable secret is ever exposed, and even if someone tried clickjacking, there’s nothing permanent to steal.
You can learn more in our security advisory.
In my opinion, it is not acceptable for 1Password not to fix a known vulnerability because it can only steal the login credentials for sites one at a time. You are right that 1P asks me to verify entry of passwords if the website name differs from what was originally input. I usually just allow it without thinking. Won't do that anymore. I also will remove all browser extensions and look for another password manager.
- 1P_Blake
Community Manager
It's not that this is something we've chosen not to fix — but rather that clickjacking is something no extension can completely fix on its own. There are partial mitigation approaches out there, but in our research and testing, they can break expected behavior without fully eliminating the risk.
The 1Password extension already has safeguards in place to protect against real-world risks like this. Logins only fill on the domains they’re saved for, and the extension blocks scripts from tampering with its interface. Credit cards have always required a confirmation prompt before filling, and in our latest release we’ve extended that same protection to other item types as well.
I hear your point about sometimes approving prompts out of habit — that’s exactly why we’ve focused on visibility and control, so autofill only happens when you mean it to. Paired with shorter auto-lock times, it’s another layer that makes clickjacking much harder to exploit.
