Summary
Malicious or compromised websites may attempt to disguise or obscure the 1Password browser extension’s autofill menu with another element, tricking users into triggering the autofill action without realizing it. This type of deception is known as clickjacking.
Tip
Your information in 1Password is always encrypted and protected. Clickjacking does not expose all your 1Password data or export all your vault contents, and no webpage can directly access your information without interaction with the browser extension’s autofill element. At most, a malicious or compromised webpage could trick you into autofilling one matching item per click, not everything in your account.
An attacker who exploits clickjacking to fill a login item cannot view the filled information, unless the attacker has also compromised the website configured in the item’s autofill settings.
Clickjacking is not unique to the 1Password browser extension - it is a long-standing web attack technique that affects websites and browser extensions broadly. We conducted a thorough review, including prototyping potential mitigations and investigating the solutions other password managers put in place. Through this review, we identified that many technical controls to detect and prevent clickjacking attacks come with limitations and can often be bypassed or break expected behavior for legitimate websites, as they do not address the broader class of attack.
Our approach is to address this risk through confirmation prompts for sensitive data, autofill restricted to the exact websites to which your login data belongs, and greater user control.
These safeguards are already in place for credit card information, login, one-time password, and passkeys, and will be extended to personally identifiable information in 8.11.7.2. That means users and businesses will have the option of turning on confirmation popups for sensitive data autofill. This approach reduces the likelihood of harm resulting from this particular class of attack and make sure they are clearly informed when autofill is happening, remaining in control of their user information.
| Item Type | Autofill clickjacked with no alert | Where can data be filled if clickjacked | Notes and mitigations |
|---|---|---|---|
| Credit card | 🟢 Not impacted | ⚪️ Not applicable | 1Password currently displays an alert box that is rendered by the browser, which can not be hidden. |
| Identities | 🟡 Impacted | 🔴 Malicious website | 1Password personal data items are available on any website and, therefore, can be impacted. As of the 8.11.7.2 update, users can now choose to opt-in to an alert box similar to credit card items. |
| Login and One-time passwords | 🟡 Impacted | 🟢 Website configured in item | Data is only autofilled into website(s) configured in the item. This data cannot be accessed by an attacker unless the attacker has compromised the website. See note on logins and one-time password. |
| Passkeys | 🟡 Impacted | 🟢 Website configured in item | See note on passkeys. |
Who is affected
This issue affects all 1Password browser extension versions, including 1Password for iOS, before 8.11.7.2 (August 2025) and 1Password item types where the “Ask before filling” alert setting feature has not been turned on.
Since there is no comprehensive technical fix for this kind of vulnerability, our focus is on giving customers more control and ensuring they are clearly informed when autofill is happening.
Help
As of August 20, 2025, the 8.11.7.2 Password browser extension update was submitted to all browser stores for review. The actual availability of each updated extension will vary based on the various browser vendors and their review process.
Update (August 22): 8.11.7.2 is seen as 8.11.7 in Apple’s App Stores. Note: iOS users will need to update their mobile app to the 8.11.7 version if using Safari on mobile.
This issue applies to all 1Password users who use the affected browser extension in modern desktop browsers or do not have the new settings turned on. However, these attacks rely on deceptive behavior by malicious or compromised webpages, and do not compromise the security of your 1Password account, vaults, or stored data. The impact is limited to specific item types under particular conditions, and only affects the visual interaction layer, which can result in autofilling an item when otherwise not intended. See impact and exploitability below.
1Password has not received reports that this issue has been actively exploited by a malicious actor.
Recommended action
Due to the known web attack method, 1Password already shows a confirmation alert before autofilling payment information, and that alert cannot be hidden or covered. In the 8.11.7.2 release, we extended that protection so users can choose to enable confirmation alerts for other types of data. This helps users stay informed when autofill is happening and in control of their data.
If you would like to leverage the new settings, update to the 8.11.7.2 version when it becomes available and turn on additional autofill confirmation prompts in your settings.
Important
While turning off autofill might feel safer, it can actually create more risk.
Without autofill, people are more likely to reuse weak passwords or copy and paste credentials into webpages, where they can still be stolen if the site is malicious.
Autofill protects you against phishing attacks by only working on the exact domains your credentials are saved for. In practice, for the majority of users, we believe the risk of turning off autofill is greater than the risk of clickjacking.
Impact and exploitability
What is a malicious or compromised website?
Clickjacking is a class of attack that a threat actor could carry out on a malicious webpage they control, or by compromising a legitimate webpage through a vulnerability.
A webpage can be considered malicious by design. Examples may include phishing webpages that attempt to trick users into providing credentials, or webpages created with malicious ads to download malware. In these cases, the attacker already controls the webpage and can exfiltrate whatever the user fills, unless there are preventative measures in place.
A webpage is considered compromised when a legitimate webpage has a vulnerability within its own pages. In this case, the webpage would need to be severely compromised (e.g., with persistent XSS or injected JavaScript that can both trigger autofill and exfiltrate the results). A simple clickjacking overlay without extensive webpage control is not enough to steal data.
What is the impact to my 1Password data?
Your 1Password information remains encrypted and safe. A clickjacking attack cannot reveal or export all of your vault contents.
What clickjacking changes is the experience on the webpage: an attacker could disguise parts of the screen to trick you into filling in an item without realizing it. In that situation, only the data from the item you clicked would be at risk.
The most important thing to know is this only happens if you visit a malicious or compromised webpage designed to trick you and you click or interact with that website.
Note on logins and one-time passwords
While an attacker can use clickjacking to trigger a fill for credentials in login item or one-time password code, an attacker cannot gain access to the filled information without additionally compromising the webpage that matches an item’s autofill rules.
Login items, including one-time passwords, are only available for autofill on domains that match the saved item’s webpage setting. By default, the extension uses the window’s top-level domain to determine whether to suggest autofill. For example, if a login item is saved for auth.example.com, it can be suggested on example.com, support.example.com, or other subdomains.
Additional out of the box mitigations
1Password utilizes a trusted domain list that essentially tells our browser extension autofill what a webpage’s “virtual” or “effective” top-level domain (TLD) is, which provides an extra layer of security. Usually, domains only have a TLD of .com, .net, and so on. However, when a domain is on this trusted list, we consider the entire part of the string as its own top-level domain so that further subdomains on it are considered unique and unrelated. For example, trusted.example.com if on the trusted list will do an exact domain match for all items registered at that domain automatically, while another.example.com would be considered completely separate and unique.
Additional available user settings
1Password offers a stricter “exact domain match” setting that is under the user’s control. When this setting is enabled for the item, autofill will only appear on the specific domain saved (e.g., auth.example.com), not on other subdomains. Importantly, a malicious webpage (like malicious.com) attempting to iframe auth.example.com will not trigger autofill, and the extension will not offer to fill within cross-origin iframes. Note, be aware that it can have a significant impact on the usability of the extension within many webpages that may use these methods for normal login forms.
Security of one-time passwords One-time passwords expire after 30 seconds. If an attacker tricks the user into filling a one-time password field through clickjacking, they only gain access to a single valid code and not the secret or the ability to generate future codes. The underlying one-time password secret itself is never exposed by the extension.
Note on passkeys
Passkeys have similar, and in some cases stronger, safeguards to login items when it comes to restricting autofill, and therefore an attacker would have to compromise the webpage that matches the item’s filling rules to obtain any useful data. Passkeys may fill across many subdomains of a website, or they may fill on only specific subdomains. Passkeys follow the WebAuthn standard, and are configured with an RP ID when they are created. This RP ID determines which subdomains on a website where the passkey can be used.
Similar to login items, data can only be stolen if the webpage the passkey belongs to is also compromised. In this scenario, only a one-time-use signature can be stolen through clickjacking; there is no method by which the passkey itself can be stolen.
Stolen signatures cannot be reused or turned into a reusable credential like a password.
While clickjacking might allow an attacker to trigger a one-time sign-in on a compromised webpage, many other malicious actions would be possible in this scenario, regardless of whether a passkey or password is used and irrespective of the presence of a clickjacking vector.
Commentary
1Password operates within the same visual space as the webpages you visit. This means that a malicious webpage can attempt to overlay or mimic the extension interface in ways that make detection difficult. While there are strategies to detect or mitigate some of these attempts, each comes with limitations, and there is no comprehensive technical fix. Some proposed technical fixes are not effective across all browsers, and others break expected behavior for legitimate sites.
Through in-depth testing, we found that no single mitigation was comprehensive. Attackers may use common web features in a malicious manner, and therefore easily evade detection. Several of these techniques can coexist with otherwise well-behaved webpages, making strict enforcement risky with the potential to impact usability.