Can 1P's browser extensions leak passwords?
I found this quote in a September, 2017 article on the web - https://www.darknet.org.uk/2017/03/lastpass-chrome-extension-leaking-passwords/ . I assume AgileBits is familiar with the issue. Do 1P's browser extensions have similar vulnerabilities? Or if they did, have the vulnerabilities been corrected?
"LastPass works by storing your passwords in the cloud. It provides browser extensions that connect to your LastPass account and automatically fill out your saved login details when you surf to your favorite sites.
However, due to the discovered vulnerabilities, simply browsing a malicious website is enough to hand over all your LastPass passphrases to strangers. The weak LastPass script uncovered by Tavis Ormandy can be tricked into granting access to the manager’s internal mechanisms, which is rather bad news."
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hey @fourwheelcycle - thanks for the question! There's a reason that article mentions two of our competitors but not 1Password; our browser extensions were and are not subject to this kind of attack vector. :) That's why - right around the time this vulnerability was being published, we upped our bug bounty to $100,000 for anyone who could return the decrypted contents of a vault containing bad poetry.
0 -
Thank you Lars, that is very reassuring.
I'm sorry to reply, since I know you guys hate open posts, but I wanted to say thank you.
0 -
@fourwheelcycle -- no problem! I'm glad it was helpful. And yes, we try to make sure we reply anytime someone takes their time to say something to us here, but it's not a chore -- we like hearing from happy 1Password users (and even the temporarily unhappy ones, LOL).
0
