Bear app extension with 1Password
On my iMac my primary/only browser is Safari and I have 1Password installed.
I'm using the subscription version of 1Password plus the browser extension.
I also use Bear notes as a jotter on my computer and my iPhone/iPad.
When I go to install their browser extension it asks for full permissions; this is so any webpage I save (or take a snippet of) can be transferred to the Bear desktop app.
If I were to 'store' a webpage in Bear containing a pre-filled password then I understand that my password may be stored within Bear.
However I'd like reassurance that my other 1Password data is safe assuming I do not store/save a webpage in the manner described above.
I don't believe Bear to be malicious (and I assume Apple with have vetted the Bear extension) but I'm very cautious about installing extensions (1Password and my adblocker are the only other extensions) so I want to be sure that my 1Password data can't be easily exfiltrated.
Comments
-
However I'd like reassurance that my other 1Password data is safe assuming I do not store/save a webpage in the manner described above.
I am not a browser extension expert, but this Firefox documentation page about browser extension permissions describes the Access your data for all websites permission this way:
The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords.
(emphasis mine).
I could not find an equivalent page for other browsers (other than this short documentation page about Chrome, which however does not go into a lot of detail), but I think it is safe to assume that other browsers behave in a similar way when it comes to full browser extension permissions.
Therefore, I think that from a technical perspective, extensions which request this permission can read everything you type into webpages, even if you don't specifically invoke the extension to store information externally, wherever that might be. Of course, whether extensions actually do something with that information, or whether they simply ignore it, it is up to the individual browser extension.
Personally, I think that the fact that they have the potential to do this is worthy of consideration though, but it looks like you have done your research already, which is what matters. The choice of what extensions to ultimately trust is a very personal one, and only you can make the final decision.
Were you using Firefox or Chrome, I would have recommended using a separate browser profile for sensitive browsing, but I am not aware of a way to do this in Safari yet. I was in a similar predicament myself some time ago, and I decided to work around this Safari limitation by using a combination of Safari and Safari Technology Preview to keep things separate, although I understand that it might not be an ideal solution for everyone.
===
Daniel
1Password Security Team0 -
Thank you for the comprehensive answer.
My main concern was that the Bear extension (or any extension for that matter) could steal other data from 1Password, i.e. even passwords that I'd not filled into the webpage.
I'd honestly not given any consideration to using a second browser - just for Bear - on Mac (even though I use Edge for work on my Windows computer and Chrome for everything else!)
As that's the best, and most secure/easiest solution I'll probably download Firefox and use that with the Bear extension.
0 -
On behalf of Daniel, you are welcome @nickwaters! If you have any other questions, please feel free to reach out anytime.
Have a wonderful day :)
0