Are the 1Password browser extensions safe and secureas we hope they are?

When I installed the 1Password extension for Chrome, the following is displayed.
(I"m sure this isn't unique to the 1PW extension, nor Chrome)

After reading this article, it raises serious concern for privacy and safety.
We have no idea who writes these extensions, nor what their motivations are. There is no easy way for consumers to know
when their private data is at risk or not.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @cappy: Thanks for asking! While I'm not sure which article you're referring to, I can tell you what that means right off the bat: Chrome has a list of entitlements that extensions can request and the user can choose to allow (or not) it to do those things. In the case of 1Password and the example you gave, the desktop extension, in order to do the things you expect it to, it needs to be able to "read and change" information on the webpage (saving, filling) and "communicate with native apps" (1Password for Mac, or Windows, where your data needs to be saved to and retrieved from). We've got a more extensive list here:

    About 1Password browser permissions

    But essentially there is a lot of mischief that malicious extensions get up to, so Google started (and other browser vendors followed) enumerating exactly the access extensions were requiring so that the user is aware and can make an informed decision to refuse them if they wish.

    Peripheral to that is we recommend not using 1Password in a browser/profile with other extensions that request a lot of access, as they could -- maliciously or even just carelessly -- capture sensitive things you're doing in your browser, including anything you tell 1Password to put there. 1Password can protect your data when it's in 1Password; it cannot protect it when you send it out over the internet, or just put some other software in a position to capture it.

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • cappy
    cappy
    Community Member

    Sorry, that dialog covered part of my message including the link to the article I am referring to.
    Here is that article again.
    https://www.washingtonpost.com/technology/2019/07/18/i-found-your-data-its-sale/?utm_term=.58592e65a5e1&wpisrc=al_trending_now__alert-economy--alert-national&wpmk=1

    There is simply no way for any user to know which extensions are going to do bad things with the user’s data.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @cappy: It may not be trivial, but if nothing else -- failing the means to determine the security, privacy, and business practices of the maker of a given extension -- two things are still certain:

    • If it isn't granted permission to do something, it can't do it.
    • If you don't install it, it can do nothing.

    Modern browsers have great sandboxing and profile features to compartmentalize things, and they give the user some good information on what an extension is able to do. Checking reviews of extensions isn't too hard, and journalists and security researchers can be good sources as well when it comes to vetting what you install on your devices.

    I'm not saying it's easy, but when in doubt, you have the option of not using them. Our livelihood is based on trust though, so we're very open about how 1Password works. We like to know what's going on with our data too, and have built 1Password with that in mind, so that we can feel good about using it too. :)

This discussion has been closed.