Persistent request for Safari extension verification
I've been using 1Password on Mac for years. My current version is 6.8.8.
Yesterday, all of a sudden, when I launched Safari, immediately the window opened with a request from 1Password to verify a number in order for my Safari 1Password extension to work. I hesitated, thinking this might be a hacker attack. I never had such a request after the extension was installed—months ago. I got to mention, that absolutely nothing has changed on my Mac in at least a month, that would warrant triggering such a request. I installed an update to one of my applications, but that's it.
I just quit Safari and re-opened it. The request window appeared again. So, I verified the number. But on my next Safari launch same request window appeared, only with a different verification number. Now, I was really worried.
I opened the main 1Password app and changed the master password. After that, I don't get any more request for verification, but I don't know whether my Safari extension works or not.
Could someone explain, please, what is going on?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
ref: NAI-15856-214
Comments
-
@whyunavailable - sorry for the scare -- this is a legitimate request if it looks like the one in these images. Hope that helps, but let us know if you have any further questions.
0 -
Thanks, Lars,
Yes, the requests looked just like those in linked images. But that doesn't prove much, does it? The reason I was worried was two-fold: unwarranted request for verification and persistence of this request after I verified the number.
Eventually, I uninstalled 1P Safari extension, went to AgileBits website and installed a fresh copy of the extension.
The oddness of this incident made me think it was a hacker attack, and so, I had to change about 20 of my most important logins.
0 -
@whyunavailable - I always appreciate caution in people when considering their digital security. However, although it would be technically possible create a fake version of the auth windows themselves (just copying from the images in the links I provided you in my earlier post would be sufficient), the mechanism would be unlikely to be fake-able. One major way to be certain of this is whether the authorization window itself is outside of the browser -- a hacked website could send you whatever it wished...but it would be in the form of a browser-generated window. That's part of why this works: one image is in the browser, and the other is outside of (not generated by) the browser (it is instead generated by 1Password). If you saw the second window as a browser window as well as the first one, then yes, that would definitely be suspect. But if the numbers match and the Authorization window is generated outside of the browser window, then there are really only two possibilities (generally): the first is that it's what it seems to be; a legitimate browser extension authorization prompt, generated by your own 1Password install, and the second supposes that your attacker was able to execute arbitrary code outside of the browser (i.e - on your own computer), which is both considerably more problematic and considerably less likely. For an attacker to be able to do this -- or appear to be doing this -- they would have had to target you specifically and also have succeeded in being able to execute arbitrary code on your device -- separately. It never hurts to change your passwords, provided the new one you choose is long, strong and random (and that you record it in 1Password or elsewhere), but given what you describe I seriously doubt it was necessary because I do not think it was an attack, based on the above.
Did re-installing the 1Password extension in Safari solve the issue, or does it continue to happen? If the latter, then I'm guessing you may have an automatic cache/cookie cleaner installed which can remove local storage from within the browser -- which would necessitate a re-authorization each time you launch after the "cleaner" runs (the next time you try to use 1Password). Could that be a possibility?
0