Why Secrets’ Browser Extension is Purposely 'Dumb'
Secrets' browser extension was designed from the start to serve as a simple conduit between the browser and the main app itself. Namely, the extension:
- Should never deal with the user's passphrase
- Should never have access to private information without user consent (even when Secrets is unlocked)
- Should communicate securely with the main app
This made filling Logins with Secrets a bit different than with many other password managers. Whereas other apps might auto-suggest a Login to fill as soon as you open a page, Secrets never did that — and never will. Not only that, but to fill a Login you actually need to provide consent by selecting that Login in the main app.
This has always been a source of questions for new users when migrating from other password managers. But it’s definitely worth getting used to.
Clickjacking + Autofill
A few weeks ago, a researcher (Marek Tóth) presented at DEF CON a renewed version of the clickjacking attack that targets browser extension-based password managers.
In simple terms, the attacker can manipulate web pages (through invisible overlays, pointer-event tricks, etc.) to deceive the user.
For example, some clickable element (say, a “Click here to accept cookies” button or “Yes, I’m over 18”) is overlaid by an invisible element tied to the password manager’s dropdown autofill selector.
When you think you’re clicking the “Yes” or “Confirm” button, you’re actually triggering the autofill dropdown. That lets the attacker leak or harvest sensitive data — passwords, credit card info, 2FA/TOTP secrets, etc. — without the user’s explicit knowledge.
Why a 'Dumb' Extension is the Smarter Choice
Secrets' browser extension does not automatically drop down or insert credentials when a login or form field is detected. Instead, it requires the user to explicitly trigger a fill (click its icon, or invoke it via the toolbar or a keyboard shortcut) and select which credential to fill on the main app itself.
Such a “dumb” mode reduces the attack surface, especially for these kinds of UI/overlay, clickjacking, or pointer manipulation attacks. If autofill doesn’t happen automatically, there’s no invisible dropdown to trick. The attacker can’t overlay or capture clicks if nothing is shown by default.
By requiring consent in the main app, Secrets minimizes exposure. You hold back the credential until absolutely necessary. That reduces what malicious scripts on the page could grab.
Convenience versus Security
Convenience is always tempting, especially when it comes to something as repetitive as logging in. By keeping the browser extension “dumb,” Secrets puts security ahead of convenience — making sure your credentials only leave the vault when you explicitly say so.
It may take an extra click or keyboard shortcut, but that small bit of friction buys a lot of peace of mind. And that’s why, when it comes to protecting secrets, dumb is definitely smarter.