Clickjacking is a technique where a malicious or compromised webpage visually disguises or overlays elements of a page or browser extension, like the autofill menu, so that a user unintentionally clicks on them. In practice, this could allow a site to trick users into autofilling card details, identity items, or other information without realizing it.
Clickjacking isn’t new, and it’s not unique to password managers. It’s a long-standing web technique that affects many websites and browser extensions. At its core, it’s a browser-level limitation, not something a single browser extension can fully solve.
How 1Password is responding to clickjacking
We take every security concern seriously. While clickjacking can only be fully resolved at the browser level, we’ve introduced a solution that addresses the risk for our customers by giving them more control and information.
On August 20, 2025, we released version 8.11.7, which gives customers the option to be notified and approve or deny autofill actions before they occur. This extends the confirmation alert that already exists for payment information, an alert that cannot be hidden or overlaid by clickjacking.
With these updates, customers are clearly informed when autofill is happening and remain in control of what is shared, helping them stay protected against clickjacking attacks.
Does clickjacking put my 1Password data at risk?
No. Your data in 1Password remains encrypted and protected. Clickjacking does not expose your vaults, export your data, or give websites direct access to your saved information.
What clickjacking can do is try to trick users into triggering autofill. That’s why we’ve added safeguards, like confirmation alerts, so users have a chance to double-check before their data is filled.
What you should do
To stay protected, we recommend updating to version 8.11.7.2 (or 8.11.7 on iOS App Store) as soon as it becomes available in your browser’s store. You can check this webpage to download the latest version.
We also recommend keeping autofill enabled. While it may feel safer to turn it off, disabling autofill can actually increase risk. Without autofill, users are more likely to reuse weak passwords or copy and paste credentials into websites, where they can be stolen if the site is malicious.
Autofill also helps protect users from phishing by only filling credentials in on the exact domains they are saved for. In most cases, the protection autofill provides far outweighs the potential risk of clickjacking.
You can read our full security advisory here.
Jacob DePriest
CISO
