It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Forum Discussion
Solved
Browser Extension Risk Clickjacking
According to this report, I wondered what the position of 1Password is on this issue and when it will be fixed.
https://www.bleepingcomputer.com/news/security/major-password-managers-can-leak-login...
[Note that I'm marking this as a Solution just to make it more visible]
Hi all,Thanks for all the questions and the thoughtful discussion. We wanted to provide a bit more context about the research and what it means for 1Password users.
A researcher identified a variation of a clickjacking attack, where a malicious website can trick someone into unknowingly triggering the autofill action in a browser extension. They reported the issue through our bug bounty program and worked with us ahead of their DEF CON presentation.
Clickjacking is not unique to the 1Password browser extension. It is a long-standing web attack technique that affects websites and browser extensions broadly. The underlying issue lies in the way browsers render webpages. After conducting a thorough review, including prototyping potential mitigations, we concluded there’s no comprehensive technical fix that browser extensions can deliver on their own.
Your information in 1Password remains encrypted and protected. Clickjacking does not expose your 1Password data or export your vault contents, and no website can directly access your information without interaction with the browser extension’s autofill element. At most, a malicious or compromised webpage could trick you into autofilling one matching item per click, not everything in your account.
We take this and all security concerns seriously, and our approach to this particular risk is to focus on giving customers more control. 1Password already requires confirmation before autofilling payment information, and in our next release, which is already shipped and undergoing review from the browser extension stores, we’re extending that protection so users can choose to enable confirmation alerts for other types of data. This helps users stay informed when autofill is happening and in control of their data.
On the question of disabling autofill: while it might feel safer, it can actually create more risk. Without autofill, people are more likely to reuse weak passwords or copy and paste credentials into websites, where they can still be stolen if the site is malicious. Autofill also protects you against phishing sites by only working on the exact domains your credentials are saved for. In practice, for the majority of users, we believe the risk of disabling autofill is greater than the risk of clickjacking.
Passkeys are not impacted by clickjacking. Passkeys are tied to the website they’re created on and generate a one-time signature during login. That means no reusable secret is ever exposed, and even if someone tried clickjacking, there’s nothing permanent to steal.
You can learn more in our security advisory.
It's good to see the fast traction with response to the https://marektoth.com/blog/dom-based-extension-clickjacking/.
I’m a long-time customer who trusts 1Password for my company, myself and my direct and extended family.
While I can dig deep in this forum and discover what settings I need to enable to stay safe, I can’t stand behind my team and extended family's shoulder to ensure they are protected and all the right settings are enabled.
In light of this discovery, I would not only appreciate product updates, but also see 1password push distinct information campaigns and clear guidance to help non-experts stay safe.
1) Proactive In-App customer education (now)
Instead of just sending promotional emails from info@, get in front of user's eyes with best practices: In response of the spotlight on clickjacking vulnerability that has reached millions, be quick with an email + in-app banner/notification that links to a short, plain-language guide on what this is about and how to protect yourself.
Include the exact settings to reduce risk (with screenshots) for users concerned about this issue.
When release new settings, make sure they are released as DEFAULTS not something the customer needs to learn about:
I understand 1password is built around convenience but convenience is an IDEAL, security is a MUST.
Best practices could highlight:
- New Settings: Recommend to keep payment confirmations on; enable confirmations for all item types when the update lands. I had to dig to find this in the first place, just to see that these settings came DISabled.
- Set critical Logins to fill on the exact site they were saved for.
- Use a short auto-lock time for the extension.
- Be comprehensive (consider all device types, OS / mobile apps)
- (...)
2) Product hardening (upcoming releases)
I don't agree with Jacob's statement that all this can just be rolled off to user behavior and the way browser extensions are architected. Clickjacking is deception technique that may be able to be detected with some level of accuracy.
- Add occlusion/overlay detection and refuse to fill when the page is dimmed, overlaid, or visually altered (popover/top-layer present, opacity/filters on html/body, etc.).
- Move all sensitive fills (PII, TOTP, passkeys) to an out-of-page, trusted UI (same model used for payment confirmations), so page DOM tricks can’t hide prompts
- Change defaults to exact-host matching; broader scopes must be explicit. (again be conservative)
- Make prompts item-specific and contextual (“Fill Visa ••••4242 on checkout.example.com?”), never generic.
- Provide enterprise policies to family accounts: e.g. allow me to enforce exact-host matching, require confirmations for all fills, disable PII/credit-card autofill, shorten auto-lock, and support a first-class “on-click” injection mode.
- I'm sure your team has more ideas.
Even if there’s no single, comprehensive browser-level fix, layered defenses and safer defaults materially will reduce real-world risk—especially for non-technical users who rely on 1Passwords security.
I have been and want to keep recommending 1Password to other companies and family members. It may be a mission shift but I would hope 1password sees it's responsibility to not only ship a secure product - but to provide the most secure experience end-to-end, closing gaps from product to the user - with the appropriate education at the appropriate time.
If users would get this served to them by default, in bite-size in-app messages (without having to dig up their own research), It would make me sleep a lot better.
Thanks for engaging here and for the work already underway...
1P_Blake
Community Manager
Community ManagerThanks for taking the time to write such a detailed comment bhx! It’s clear you’ve really thought about both the technical side of this and the practical impact for people who may not be security experts. We share that focus, and your points around defaults, education, and layered defenses are very much in line with the kinds of conversations our teams are having internally.
On the product-hardening side, the research being discussed reviewed a wide range of technical implementations, many of which don’t apply to the 1Password browser extension. Our extension is already built with multiple layers of protection. It prevents other scripts from manipulating the extension interface and enforces strict origin-matching rules that stop unintended iframe autofill and common web-based attacks like many types of XSS.
Because the attack scenario assumes a fully malicious website with complete control over its own scripting and UI, there are limits to what additional preventative measures can achieve. For example, current browser behavior allows Popover APIs to be layered on top of each other, reducing the effectiveness of some proposed alternatives.
To address this risk, we’ve taken a product- and user-focused approach: a confirmation alert makes it clear when autofill occurs. This prompt is especially important for credit card and identity items, which can be autofilled on any webpage or domain. It’s important to note that login items already benefit from extensive safeguards, as they only autofill on domains that match the site saved in 1Password.
We remain committed to strengthening the extension, while also ensuring our protections are practical, reliable, and user-friendly. If you'd like to dig in further, we’ve published both a security advisory and a blog with additional details.
