The Chrome extension fills PW when it should not.

junha
junha
Community Member
edited September 13 in 1Password in the Browser

For a user in a specific vault, even if they are granted only the "view items" permission (with no other permissions and no "client settings" access), it is still possible to auto-fill a login password if such an item exists. This seems illogical because, despite restricting access to the password in the Desktop app, Web app, Mobile app, and even the Chrome extension, the autofill feature still allows the password to be used. It defeats the purpose of granting minimal permissions, as the autofill feature introduces a potential security leak. Am I misunderstanding something here?

1Password Version: Not Provided
Extension Version: 2.27.1
OS Version: Sonoma 14.5
Browser: Chrome

Comments

  • junha
    junha
    Community Member

    For a user in a specific vault, even if they are granted only the "view items" permission (with no other permissions and no "client settings" access), it is still possible to auto-fill a login password if such an item exists. This seems illogical because, despite restricting access to the password in the Desktop app, Web app, Mobile app, and even the Chrome extension, the autofill feature still allows the password to be used. It defeats the purpose of granting minimal permissions, as the autofill feature introduces a potential security leak. Am I misunderstanding something here?

    1Password Version: Not Provided
    Extension Version: 2.27.1
    OS Version: Not Provided
    Browser: Chrome

  • EvonG1P
    EvonG1P

    Hello, @junha. I see that my colleagues were able to assist you via email. If you have any questions, please continue the conversation there. I'll close this thread to prevent duplication of efforts. 🙂

    -Evon

    ref: FQF-92252-598

This discussion has been closed.