1Password Mini, all browser plug-ins, make me subject to attack?

MacPass
MacPass
Community Member
in Mac

http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/
I used 1Password Mini to log into this discussion. In light of the above article, do all plug-ins, such as 1Password Mini, make me vulnerable to malware attack?

1Password Version: Latest beta
Extension Version: Latest beta
OS Version: OS X 10.11.4
Sync Type: Dropbox

Comments

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Excellent question @MacPass

    We haven't studied the particular Firefox issue in sufficient detail to say anything definitive at this point.

    I need to start with a clarification of terminology. 1Password mini is a native process running on your Mac; the 1Password browser extension is the browser extension running in your browser. Our browser extension talks to mini to do its job, so you use both the browser extension and mini when filling a login form on a website.

    The way that we have split the work between mini and the browser extension is designed to make us more resistant to attacks within the browser. We recognize the browser as a hostile environment, and so put all of the crypto (and your data) in mini instead of in our browser extension.

    Exactly how this plays out in this Firefox issue is something we still need to test. We've got other defenses against a malicious process in the browser making use of parts of our extension that should be "private" through our systematic use of "safe" Javascript practices. So, although I can't rule out anything until we've tested this more, my initial inclination is that the 1Password browser extension cannot be exploited by a malicious other extension.

    But please follow here for updates.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Short answer: The 1Password browser extension is not at risk from this sort of attack.

    I just talked to @jxpx777 from our browser extension team, and he had looked at this when the research was first made available to Mozilla developers.

    For an extension to be a vector for attack, the extension needs to be written in a way that "exposes" certain methods to the shared JavaScript namespace within the browser. We don't do that, as we've long recognized that doing so creates a greater attack surface against our extension. So it appears that the only extensions vulnerable are those that either fail to follow recommended coding practices or explicitly decide to expose certain methods to other extensions.

    Cheers,

    -j

This discussion has been closed.