Remove 1Password

Terrance · August 21, 2025, 10:32am

You forgot to post this here: @Bhaelros

For everyone else remember to always wait for all the details before speculation or straight for the throat axing a product’s reputation.

Require Open Source for Password Managers

Official reply from 1P

Hi all,

Thanks for all the questions and the thoughtful discussion. We wanted to provide a bit more context about the research and what it means for 1Password users.

A researcher identified a variation of a clickjacking attack, where a malicious website can trick someone into unknowingly triggering the autofill action in a browser extension. They reported the issue through our bug bounty program and worked with us ahead of their DEF CON presentation.

Clickjacking is not unique to the 1Password browser extension. It is a long-standing web attack technique that affects websites and browser extensions broadly. The underlying issue lies in the way browsers render webpages. After conducting a thorough review, including prototyping potential mitigations, we concluded there’s no comprehensive technical fix that browser extensions can deliver on their own.

Your information in 1Password remains encrypted and protected. Clickjacking does not expose your 1Password data or export your vault contents, and no website can directly access your information without interaction with the browser extension’s autofill element. At most, a malicious or compromised webpage could trick you into autofilling one matching item per click, not everything in your account.

We take this and all security concerns seriously, and our approach to this particular risk is to focus on giving customers more control. 1Password already requires confirmation before autofilling payment information, and in our next release, which is already shipped and undergoing review from the browser extension stores, we’re extending that protection so users can choose to enable confirmation alerts for other types of data. This helps users stay informed when autofill is happening and in control of their data.

On the question of disabling autofill: while it might feel safer, it can actually create more risk. Without autofill, people are more likely to reuse weak passwords or copy and paste credentials into websites, where they can still be stolen if the site is malicious. Autofill also protects you against phishing sites by only working on the exact domains your credentials are saved for. In practice, for the majority of users, we believe the risk of disabling autofill is greater than the risk of clickjacking.

Passkeys are not impacted by clickjacking. Passkeys are tied to the website they’re created on and generate a one-time signature during login. That means no reusable secret is ever exposed, and even if someone tried clickjacking, there’s nothing permanent to steal.

We’re preparing a security advisory that will share more details soon.

Reddit - The heart of the internet *

There is also this:

https://socket.dev/blog/password-manager-clickjacking#:~:text=It’s%20the%20opinion%20of%20the%20Socket%20Security%20Team%20that%2C%20if%20this%20is%20the%20case%2C%20the%20mitigations%20currently%20implemented%20by%20other%20password%20managers%20may%20also%20be%20bypassable

Discussion with 1Password

After filing the request for CVE numbers with US-CERT the Socket Security Team reached out to the impacted password manager vendors to alert them about the pending CVE assignment. At time of publication, only 1Password responded.

On a call between the 1Password and Socket Security Team, 1Password explained that the mitigations proposed by Tóth could be trivially bypassed, and that the only way to mitigate the vulnerabilities fully would be to implement a dialog popup to prompt the user before autofilling. It’s the opinion of the Socket Security Team that, if this is the case, the mitigations currently implemented by other password managers may also be bypassable.

1Password stated they considered this dialogue popup solution, and implemented it for credit card fields, but opted-not to implement this for PII due to user feedback, according to the H1 triage logs with Tóth:

Security and usability are a balance, one that we are always making tradeoffs back and forth to find the right solution. Sometimes there is no perfect solution, only the solution that works best for the most users. As I mentioned previously, it is only with user feedback that we chose to remove the prompt for the PII items that would prevent clickjacking from occurring. A change that we’ve documented in the support article under the "Identity alerts” section.

As of the time of publication, 1Password has chosen not to provide an official statement to the Socket Security Research team about Tóth’s research.

While it is easy to assume vendors are simply ignoring these vulnerabilities, the reality is more complicated. Mitigating DOM-based clickjacking in a way that is both robust and frictionless for end users is a technically difficult challenge. The most straightforward solution, adding confirmation dialogs before autofilling, does introduce usability friction that some users may push back on. Password managers walk a tightrope between security and usability, and choices about which safeguards to enforce ultimately reflect product decisions about that balance. That said, the research highlights that what’s convenient for users in the short term can leave them exposed to systemic risks that attackers may exploit.

Topic		Replies	Views
Should I use Bitwarden, Proton Pass, or 1Password? Questions	43	12639	June 12, 2025
1password vs bitwarden Questions	4	872	November 13, 2022
Should I use Dashlane? Questions	16	1252	November 21, 2024
Ditch your current password manager and Proton will give you credit for your remaining contract General	9	580	October 5, 2024
Proton Pass: A Very Brief Review General	21	2131	May 25, 2025

Remove 1Password

There is also this:

Discussion with 1Password

Related topics