How safe is the 1Password Chrome extension against browser hijacking malware?

Magne

Hi,

I recently experienced an issue with a malware/spyware that hijacked my Chrome browser every time it started up (it automatically closes chrome and then reopens it). The malware was called PremierOpinion, calls itself "researchware", and I don't know how I got it. The problem first appeared when I discovered I had to sign in to Google's services and the Chrome user profile every time I opened Chrome, because Chrome would always report that "Account sign-in details are out of date". When signing in to the Google services on several attempts I used the 1password browser extension (where I typed my master password), and also tried copy/pasting my google password into the Gmail login page.

It is evident that PremierOpinion hijacks Chrome and does some kind of logging of activities in Chrome, as witnessed by their statement on their website: "PremierOpinion is an online market research community, which provides insight into how its members interact with the Internet. In exchange for agreement to have their Internet behavior monitored, [...]"

So I consider my browser was compromised. I'm not sure to what extent, but I have to assume the worst.

After solving my problem, and removing the malware, I am left with the questions:

• Is my Google password now compromised? (Since I used it on login form on a web page while in a compromised browser.)
• Is my 1password master password now compromised? (I know that you utilize Secure Input on mac to protect against keylogging, but how secure is this in the browser extension if the whole browser could be considered to be compromised?)

And in general, I would be reassured, as I'm sure many others would be, if you could write something on this question: How safe is the 1Password Chrome extension against browser hijacking malware?

If you want to reproduce this by installing PremierOpinion, here are the details around my problem with it, and how I solved it: http://magnemg.tumblr.com/post/116018954690/how-to-solve-chrome-not-remembering-sign-in-and

cheers,

Magne

littlebobbytables

Hi @Magne,

While you won't have to be worried that your entire vault is compromised, any password you've submitted into a web page should probably be considered at risk if you are concerned enough about PremierOpinion.

When you click on the 1Password browser extension icon or whatever your preferred approach for interacting with 1Password is, you're actually interacting with 1Password mini. So in this sense even if we weren't using a Secure Input event like we are, your Master Password should still be safe against a browser extension. The Secure Input event is more a defence against software keyboard loggers. Unfortunately any login credentials you've submitted into a web page will be as visible to this extension as they will and sadly there is no protection against that.

What I would probably recommend is sorting your vault by Date Last Used (our page on the Item List pane will have a bit more information on this) and considering changing any item used during the period PremierOpinion was present. Once you've changed those you should be able to relax again.

So to summerise, we can't protect you against another extension if it is passively recording your interactions with sites but an extension cannot access your vault or log your Master Password. We will only fill in on the specified URL which should catch most phishing attempts but if your machine is sufficiently compromised then there is nothing we can do. If you'd like more of an explanation please do ask.

Magne

Thanks for the reply @littlebobbytables . Actually, I didn't realize PremierOpinion had installed it as a browser extension as well (thanks for making me aware of that!), so I was wondering what the case would be if some malware simply hijacked Chrome on startup. In my case, maybe it was the extension it installed that allowed that, but the question is interesting in general:

Could a compromised Chrome browser in theory ever actually intercept whatever I type into the 1Password Browser Extension?
Considering that the browser could be run via a tunnel through some other logging program, or that some malicious program has been able to "crack" the browser and inject malicious code into it.

Thanks for the Date Last Used approach, that was very helpful in solving my problem.

littlebobbytables

Hi @Magne,

Our 1Password Browser Extension is merely a conduit between the browser page and 1Password mini so you don't actually interact with the extension much at all. This is what would limit your exposure from inside the browser. The extension has a couple of parts to play. It notifies 1Password mini that you are requesting its services and informs 1Password mini of the active tab. After that it doesn't play a part until 1Password mini passes certain information back which it only does when you instruct it to fill.

The at risk information is whatever you are filling into the fields, be it login credentials or your credit card information. Anything entered into a page is readable by the extensions. This is regardless if you use 1Password or not. In other words, if you do online shopping you do need to be careful about what extensions you run.

We do check check the browser code's signature to at least ensure that what is claiming to be Safari, Firefox or Chrome is indeed a legitimate copy but that doesn't protect you against dodgy extensions or malware elsewhere on your system. It does take a fully compromised machine before your Master Password and vault are at risk though.

Magne

Thanks for the detailed explanation.

I thought that the 1Password Chrome Extension is what was opened when I click the 1Password icon in the Chrome toolbar, and that the interaction with 1Password Mini was through that. But now I see that it's just actually a 1Password Mini window, which is overlaid on the Chrome window. So that when I input my master password there, it's going directly to 1Password Mini and not ever going through the 1Password Chrome Extension. Correct me if I'm wrong.

Then I don't have to worry about my master password being compromised, at least.

Thanks again for responding and being so helpful to explain this. :)

Megan

Hi @Magne,

I'm so glad to hear that @littlebobbytables has been able to help you through this process.

So that when I input my master password there, it's going directly to 1Password Mini and not ever going through the 1Password Chrome Extension.

Correct. :) You are entering your Master Password into 1Password mini, which is separate from the browser.

If you have any further questions, please let us know - we're here for you. :)