1password X security question - extension security

Doug0915
Doug0915
Community Member
edited July 2019 in 1Password in the Browser

Can other extensions that you give full access to (read all data, websites, etc) read 1password X data? I'm specifically referring to the Chrome version.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi @Doug0915,

    Other extensions cannot dig into 1Password X and get data out of it. But when you fill a form (whether by hand or by using 1Password X) then any extension that can fully examine that web page will be able to see the password that you (via 1Password X or by any other means) will be able to see that particular password that you have filled into that particular page.

    So other extensions, no matter what powers they are granted, will not be able to get secrets out of 1Password X itself, but they may be able to get secrets out of other web pages, including the pages to which you give a password.

  • Doug0915
    Doug0915
    Community Member

    Thanks! That answers my question. Very informative!

  • Doug0915
    Doug0915
    Community Member
    edited July 2019

    One thing that just occurred to me while enabling 1password X. The first time you install 1password X it redirects you to the web 1password login page. IF you have other extensions installed at the time, couldn't they scrape your userid, password and secret key from the 1password web login page? Maybe there should be a warning on the

    Shouldn't there be a warning or something on the my.1password.com web page reminding people that if they have ANY other extensions running that can scrape the website they are on, logging into the my.1password.com web page could compromise them?

    Seems like the best procedure should be to disable all extensions in chrome, then install 1password X, configure and enter your password and then re-enable the other extensions.

  • AGAlumB
    AGAlumB
    1Password Alumni

    One thing that just occurred to me while enabling 1password X. The first time you install 1password X it redirects you to the web 1password login page. IF you have other extensions installed at the time, couldn't they scrape your userid, password and secret key from the 1password web login page?

    @Doug0915: If you've given them permission to do that, yes they could.

    Shouldn't there be a warning or something on the my.1password.com web page reminding people that if they have ANY other extensions running that can scrape the website they are on, logging into the my.1password.com web page could compromise them?

    It's something we can consider, but it doesn't apply to everyone, and you as the user are the only one in a position to know what you've given extensions permission to do -- and other software; so I'm not sure it's useful to have a generic notice on our website (and others) about being careful what you install: it isn't exclusively a 1Password thing, and it would likely be ignored and/or obnoxious the same way EU cookie notices are.

    Seems like the best procedure should be to disable all extensions in chrome, then install 1password X, configure and enter your password and then re-enable the other extensions.

    Certainly not. Don't use other extensions you're giving permission to read/modify everything you do in the browser in the same browser/profile as 1Password (or anything else sensitive) at all, unless you're okay with accepting that risk.

  • Doug0915
    Doug0915
    Community Member
    edited July 2019

    Thanks Brenty for your response!

    Many Chrome extensions by default ask for all permissions to read website data. Though I doubt it's a risk, OneNote and Evernote's extensions do this in order to allow you to clip web pages (as an example) and those are used by a lot of people. Also, ad blocker extensions also ask for the same broad permissions. Other extensions do it to, I just loaded CISCO's webex extension and it has broad permissions.

    There are quite a few extensions which may already be installed and operating before somebody installs 1pasword X.

  • Lars
    Lars
    1Password Alumni

    @Doug0915 - it's certainly something we can consider for the future, but as brenty mentioned, this is far from something all users have/do, and it's also a matter of user trust and preferences. While it's arguably best practice to disable all browser extensions the first time you activate 1Password X via 1Password web -- or anytime you use 1Password's web app in a browser -- you're also referring to well-known extensions above (Evernote, OneNote, CISCO, etc). These are presumably trustworthy vendors who will not abuse the privilege of their heightened ability to read/capture data you enter into a page. But yes, the risk that one or more of these extensions inadvertently captures things you wouldn't want them to have (1password.com sign-in data) goes up with each one you have installed. It's important to keep in mind that unless you believe one of those extensions is transmitting data to its own servers - especially in plaintext - then the issue is confined to your local desktop; any attacker wanting to leverage such a vulnerability would need to have already compromised your own device previously in some fashion. Hope that's helpful. :)

This discussion has been closed.