Feature request - ACLs for browser agents

m4rkw
m4rkw
Community Member
in Mac

There is a third party tool called "sudolikeaboss" which facilitates using 1password with the CLI. While useful, this potentially exposes users to password theft as I detailed in this blog post:

https://m4.rkw.io/blog/sudolikeaboss-allows-password-theft.html

Since the use-case for this is usually just to enter a sudo password, could we have some way of restricting specific authenticated browsers to certain credentials only? I can see this being useful in other scenarios as well as a security mitigation. Although a lot of user credentials are going to be useful in the browser, I bet lots of people have stuff in 1password that should never be sent to the browser under any circumstances. Adding configurable ACLs would allow us to restrict what the browser can receive back from 1P so in the event that an extension was compromised somehow the scope of the attack would still be limited.

If this feature existed, security-conscious users may well decide that some creds are too valuable to automatically send to the browser and choose to copy and paste them instead, eg stuff like iCloud.

1Password Version: 6.7.1
Extension Version: 4.6.4
OS Version: MacOS 10.12.4
Sync Type: N/A

Comments

  • pervel
    pervel
    Community Member

    You can already choose Never display in browser on each individual item. Though I don't know if this setting is enforced by the app or by the browser extension. If it's enforced by the app, then it's at least a partial answer to your request.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @pervel: That's a great suggestion! :)

    @m4rkw: First and foremost, 1Password doesn't ever "automatically send to the browser"; rather it only sends and fills information when you've told it to do so. And while your suggestion probably isn't a feature we're going to add, I think you'll be interested to know that 1Password has a few security measures in place already that apply in this case:

    1. Your 1Password data is never stored in the browser (it sounds like you're already aware of this), only decrypted and sent to the extension on demand, when you tell it to do so.
    2. 1Password will not send anything to the browser unless its code signature can be verified, to protect you from impostors.
    3. And finally, 1Password will also never send anything to the browser extension unless it is authorized by you

    But you're right that a malicious app you authorize to talk to 1Password, or one that you've simply given access to the system itself, could collect your data as you access it. Neither 1Password nor any other software can prevent you from allowing that. I hope this helps. Be sure to let us know if you have any other questions! :)

This discussion has been closed.