Security advisory for AI-assisted browsing interactions with the 1Password browser extension

This advisory describes an ecosystem-level risk that emerges when AI agents are able to autonomously read and act on untrusted content while operating with user-level permissions in a web browser.

Our approach to ecosystem risks is to maintain clear, deterministic boundaries that don’t rely on an AI system interpreting “rules” correctly. To strengthen user control at this boundary, we’ve added the ability for users to disable automatic sign-in for the 1Password web app, preventing automated browser activity when 1Password is unlocked.

1Password remains predictable even when the surrounding environment is not: autofill remains restricted to the right sites, sensitive data can require confirmation before being filled, and a locked extension cannot be manipulated by an AI agent or anyone else. Users can also change their extension’s lock settings – such as using shorter lock timeouts – to ensure the extension locks as frequently as fits their security preferences, especially when using AI-assisted browsing.

Observation

AI-powered browsers and assistants are designed to read and act on web content on a user’s behalf. This creates a broader attack surface for prompt injection, where malicious instructions are embedded in otherwise normal content (for example, a calendar invite, email, or document).

We’ve reviewed an attack scenario that demonstrates how an AI assistant can be influenced by untrusted content to navigate the web and attempt actions a user could perform at the keyboard. If the 1Password browser extension is already unlocked, the assistant may be able to trigger normal extension behavior, such as navigating to a web application, attempting to autofill credentials on sites matching saved URLs, or automatically signing the user into 1Password.com via the unlocked extension and interacting with the web vault.

This issue does not break 1Password’s cryptography, authentication model, or vault design, and there is no bypass of 1Password’s security controls. AI access remains limited to the constraints of an existing authenticated session.

Who may be affected

You may be affected if all of the following apply:

• You use an AI-powered browser or AI assistant that can autonomously navigate and interact with web pages.

• The AI assistant is able to read or act on untrusted content that comes from outside your direct control, such as emails, calendar invitations, shared documents, or web pages.

• Your 1Password browser extension is unlocked while the AI assistant is in use.

Recommended action

To reduce exposure to this class of risk:

• Disable "Automatically sign in to 1Password in the browser" in the 1Password browser extension (Settings > Security). This prevents the unlocked browser extension from signing in to 1Password.com automatically without explicit user intent.

• Manage team sign-in policies: Manage whether your team members can choose to be signed in to 1Password.com automatically if their 1Password browser extension is unlocked.

• Lock the 1Password browser extension when stepping away from your device or when browsing untrusted content.

• Enable autofill confirmation prompts for sensitive item types like contact information and credit cards, so you’re asked before those details are filled. Login items also support optional confirmation prompts, which some users and teams may choose to enable for additional assurance.

Impact and exploitability

Prompt injection is a technique where untrusted text is interpreted as instructions by an AI system. In this scenario, an attacker’s goal is to influence an AI assistant into taking actions the user did not intend.

If the 1Password browser extension is unlocked, the assistant may be able to attempt actions that are already within the user’s permissions, such as:

• Navigating to the 1Password web app, signing in with the existing unlocked session, and interacting with what’s visible in the active session, in the same way a user could while signed in (for example, viewing or editing items, accessing account pages, or changing settings).

• Triggering autofill in a browser tab.

Important limitations still apply:

• Autofill is restricted by domain matching: credentials won’t fill outside the saved origin rules for the item.

• Only one item can be filled or accessed at a time - there’s no bulk action or “export all” capability in the browser extension that would allow an entire vault to be retrieved at once.

• Sensitive data types such as credit cards and contact information require confirmation prompts that can’t be hidden or overlaid by a webpage.

• If the extension is locked, it can’t be used to fill or act until the user unlocks it again.

Our Position

AI-assisted browsing changes how actions can be initiated in a web browser, but it doesn’t change the fundamental security boundaries that 1Password enforces. The extension only performs actions a signed-in user could perform themselves, remains constrained by domain matching and confirmation requirement settings, and can’t be used at all when it’s locked. 1Password’s security model and settings give users control over features like automatic sign-in and lock behavior, helping reduce exposure to this class of ecosystem risk.