Security Issue: Settings

On my Chromebook, I have found the 1Password Settings can be changed without logging into 1Password; e.g. disable Automatically Lock or set Lock After System Idle to 8 hours.

For example, I shutdown/restart my Chromebook, log into my Chromebook (without logging into 1PW), open the browser history, select 1PW Settings, modify the settings, close the 1PW Settings tab, and close the browser. I shutdown/restart, open the browser, log into 1PW, open 1PW Settings, I find the non-logged in changes are in force.

(I did not test other 1PW Settings.)


1Password Version: Not Provided
Extension Version: 2.7.0
OS Version: Chromebook 110.0.5481.112
Browser:_ Chrome

Comments

  • Hi @robert1p,

    You should be able to access the settings of 1Password in your browser even when it is locked if you right click the icon in your browser toolbar and choose settings. These settings are specific to the browser extension and not your 1Password account, you shouldn't be able to change any account settings or access your account without entering your password or using biometrics to sign in.

    I hope this helps to address your concerns, let us know if you have any questions!

  • robert1p
    robert1p
    Community Member

    My concern is that on my Chromebook, the "SECURITY" Settings can be changed without logging in; i.e. disable "Automatically lock 1Password" or set "Lock after system is idle" to "8 hours".

    My Windows Chrome Extension correctly prevents Security changes when not logged in. Thus, it's unclear to me why these changes can be made on my Chromebook.

    Personally, I would prefer the user login before any Setting can be changed; (i.e. lock the product down as tight as possible).

    Allowing non-logged in access to "SECURITY" Settings should just be screaming "Red Flag"; i.e. allowing anything to suggest the product isn't secure is just a disservice to the product.

    Respectfully submitted.

  • Hi @robert1p,

    i'm sorry for the delay in getting back to you.

    These settings are only present in 1Password in the browser if you either do not have the 1Password app installed or have unchecked 'Integrate with 1Password app'. They do not affect your entire 1Password account the will only take effect on the browser/device that you are on. Regardless, I do see where you are coming from so I have passed this on to the team for consideration in future updates.

    Thank you for taking the time to provide feedback!

    ref: PB31545943

This discussion has been closed.