Blacklisting 1Password X browser extension in Mac OS clipboard app

I can't figure out how to blacklist 1Password X from my clipboard application. It allows me to choose OS applications, but 1Password X is a browser plug-in. I previously used 1Password which I didn't have this problem with because it's an actual OS application. I switched to 1Password X browser plug-in because of the known crashing problem when using multiple profiles in Chrome (defect apple-4019). 1Password X browser extension is not usable if I can't blacklist it.


1Password Version: 1Password X
Extension Version: 1.15.6
OS Version: OS X 10.14.6
Sync Type: Cloud
Referrer: forum-search:1password x whitelist

Comments

  • ag_ana
    ag_ana
    1Password Alumni
    edited August 2019

    Hi @Piggy!

    A bit unrelated, but since it addresses the reason why you switched to 1Password X in the first place I am going to mention this: Issue 4019 should have been fixed in 7.3.2.BETA-1, in case you wanted to get back to the desktop app. Do you mind giving that a try?

    ref: apple-4019

  • Piggy
    Piggy
    Community Member

    @ag_ana I just installed 7.3.2 (build #70302004). There isn't a reference to 4019, Chrome or profiles in the release notes.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Piggy: I'm not following. Did it resolve the issue you were having? We haven't seen any more crash reports. Please confirm.

    Regarding "blacklisting", clipboard management apps are able to exclude apps, not individual extensions. So they could not record content copied from 1Password for Mac or Google Chrome, for example.

  • Piggy
    Piggy
    Community Member

    @ag_ana Still no mention of fixing issue 4019 in the release notes, however the problem has not reoccured.

    @brenty I think you mistyped your last reply. You stated that extensions can't copy content. I think you meant to say that it's not possible to blacklist the copy from an extension. I agree with you on the latter, which is why I switched back to 1Password 7. I cannot use 1Password X if I cannot blacklist the content. This is a major security issue for me.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited August 2019

    @Piggy: Regarding the crash, we fixed a number of them for some edge cases with some targeted changes in the beta. I'm glad to hear that helped you as well, but I'm sorry about the confusion with the specific issue number.

    Going back to my last reply, I don't believe I mistyped but rather I'm having trouble communicating what I mean. :lol: I'm trying to say that clipboard management apps can blacklist other apps. They don't have the granularity to blacklist specific Javascript running in another app, which is what a browser extension is. You just can't have it both ways: either you tell the app to not record clipboard data from the browser or you don't. Is that a clearer explanation?

    Using the 1Password desktop app/extension instead allows the app to handle this stuff, so then it's possible to exclude the 1Password app from clipboard recording. In the future, the specific problem you're asking about having may go away once 1Password X can fully integrate with the desktop app.

    However, I will say that the deeper issue is that using the clipboard at all is not secure. After all, any software running on your device can access that and record it itself. You can ask nicely for a well-behaved clipboard app to ignore data from some apps, but it doesn't have to listen; and there can be bugs that result in it not working the way you want it to. Of course, something malicious will simply not care no matter what. So while you may feel better excluding some stuff from a clipboard history, literally anything else running can record it if it wants to. So all of that is sort of irrelevant. I'd suggest using the browser extension to fill, not copy and paste, which is the actual security issue. It's not only more secure, it's also more convenient. Cheers! :)

  • 1pwuser31547
    1pwuser31547
    Community Member

    How do you avoid the clipboard (aside from manually typing) when you must change a password for a website and enter it into the new password field?

    Is there any development of a “secure clipboard” that could prevent clipboard sniffing akin to Secure Input preventing key logging?

    Does Secure Input protect from key logging in this example or only when opening the 1PW app?

    Thanks

  • kaitlyn
    kaitlyn
    1Password Alumni

    Thanks for asking, @1pwuser31547! I believe your first question was answered in Brenty's explanations above. If you have a clipboard management app, you can blacklist apps (such as 1Password for Mac/Windows or Google Chrome), but you wouldn't be able to blacklist a specific extension within the browser.

    Now, what I use is the Suggested Password feature in the 1Password X inline menu, which doesn't require that I copy a password.

    There's also an Autofill button in the password generator in the 1Password X pop-up that you could use instead of the copy button.

    Both of the above instances avoid copying a password to your clipboard, so I can't say I've ever had a problem with it myself.

    All that said, I do see where this would be a great feature to have in 1Password X, and it's something that we know and love in the 1Password desktop apps. As far as I know, there isn't an API to do this inside the browser. It's something we may be able to come back to later down the road, though.

    ref: x/b5x#478

  • 1pwuser31547
    1pwuser31547
    Community Member

    Hi @kaitlyn
    Thanks for reply.
    If using 1 PW 7, how would I avoid clipboard in these situations?
    Also please clarify using clipboard management apps that you can set up to blacklist 1PW.
    Does this mean all copied/pasted data would not be recorded by the clipboard, thus adding at least some layer of protection, since copy/ paste can not be totally avoided? Can you recommend one?
    Also regarding my previous question about Secure Input, is this function in MAC OS enabled when typing any entry in any password field?
    If so, then manually typing ( when browser extension can’t be used) would obviously be more secure ( since then protected from keyogging) than copy/paste.

  • 1pwuser31547
    1pwuser31547
    Community Member

    Also, is there any way or future plans or even any possibility of designing a program that would obfuscate/scramble or encrypt any data copied to clipboard from 1 PW that could then be decrypted and pasted in the password field?
    Thanks

  • 1pwuser31547
    1pwuser31547
    Community Member

    Or alternatively, I wonder if one could set up a “2nd clipboard” that resides entirely within 1PW that would hold the real data copied.
    If data had to be sent to the device clipboard, then maybe a bunch of zeros could be sent from the 1PW clipboard...

    I’m just thinking out loud.
    I’m not a programmer so I don’t known if this solution is just fantasy...

  • AGAlumB
    AGAlumB
    1Password Alumni

    If using 1 PW 7, how would I avoid clipboard in these situations?

    @1pwuser31547: If you're using the 1Password desktop app/extension, configuring your clipboard software to exclude anything from 1Password's processes should do the trick. With that companion extension, it's really the desktop app that's doing everything; the extension itself is just a way to integrate with the browser; all UI and functionality is handled by the app -- which is completely different from 1Password X, which is a self-sufficient extension that run entirely in the browser.

    Also please clarify using clipboard management apps that you can set up to blacklist 1PW. Does this mean all copied/pasted data would not be recorded by the clipboard, thus adding at least some layer of protection, since copy/ paste can not be totally avoided? Can you recommend one?

    I'm not sure what you're asking here, but if you're looking for recommendations for or support with 3rd party software, that's not something we can help with. That's entirely outside of the scope of 1Password.

    Also regarding my previous question about Secure Input, is this function in MAC OS enabled when typing any entry in any password field?

    Essentially yes. macOS has Secure Input APIs which are used in password fields (and, actually, we use this in all fields when editing in 1Password) to prevent other software from capturing what is entered there.

    If so, then manually typing ( when browser extension can’t be used) would obviously be more secure ( since then protected from keyogging) than copy/paste.

    Theoretically, in a sense, yes. But even better is using the 1Password extension to fill, since that bypasses the keyboard and clipboard entirely.

    Also, is there any way or future plans or even any possibility of designing a program that would obfuscate/scramble or encrypt any data copied to clipboard from 1 PW that could then be decrypted and pasted in the password field?

    No. Because it is just obfuscated, it could be de-obfuscated. So that doesn't really provide any security benefit, only security theater. And, ultimately, it would not be usable either in that case: a website is not going to accept an "obfuscated" password to login, only the real thing.

    Or alternatively, I wonder if one could set up a “2nd clipboard” that resides entirely within 1PW that would hold the real data copied. If data had to be sent to the device clipboard, then maybe a bunch of zeros could be sent from the 1PW clipboard... I’m just thinking out loud. I’m not a programmer so I don’t known if this solution is just fantasy...

    I'm not sure how that could work, and, essentially, if you think about it a different way, 1Password sort of already its own "clipboard" in the sense that you've got data there which you can access when you need it. The problem in in either case is that in order to be able to use any of that data, it must be decrypted and taken out of 1Password, at which point it's vulnerable if your device in compromised. The only real solution is to practice good security hygiene to avoid being in that position. At the point where someone else has access into and control over your machine, there is little they cannot do anyway.

  • 1pwuser31547
    1pwuser31547
    Community Member

    Thanks @brenty for your reply.
    Can you comment on the auto fill function and the risk of cross script attack and third party tracking script that may capture the auto fill data?
    How does the auto fill function avoid filling in these invisible boxes?
    Thanks

  • AGAlumB
    AGAlumB
    1Password Alumni

    @1pwuser31547: Great question! We have a support article about the security of 1Password X, but regarding what you're specifically asking about:

    The pop-up runs outside of the web pages you visit. Only you can open and control it.
    Inline menus are loaded in iframes, with their source set to a resource inside the extension bundle. Same-origin policy prevents pages from looking inside these iframes or interacting with their contents.
    Messages are passed between extension components and the page using the extension messaging API rather than DOM events, so they can’t be intercepted or spoofed by untrusted web pages.
    Parsing is done with safe, tested methods, and all input is sanitized before being displayed to prevent XSS (cross-site scripting) attacks.
    A restrictive CSP (Content Security Policy) prevents 1Password X from loading untrusted external resources.

    While 1Password X, to the user, appears to be operating right there on the website along with everything else, that isn't actually the case, thanks to solid engineering in 1Password X and the browser itself. Cheers! :)

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi @1pwuser31547,

    tl;dr: We were waaaaay ahead in defending against attacks on automatic autofill.

    I'd like to add one thing to @brenty's answer. I suspect that you have have heard about the dangers of what we call "automatic auto-fill." Until recently, many other password managers worked that way. The password manager would fill data into a page as soon as you visited the page. 1Password never behaved that way, despite people requesting it as a feature. We believed that automatic auto-fill posed a security risk, and so we always insisted that the user (that's you) have to take some action to say that you want details filled on a page.

    Although attacks based on exploiting automatic auto-fill existed (but did not affect 1Password because we refused to support the feature), the extent of those didn't become clear just a couple of years ago. So more recently other password managers have started to follow our lead and either turn off automatic auto-fill or at least make it non-default behavior.

    I wrote about this in December 2017 1Password keeps you safe by keeping you in the loop. And to just go full inception on quoting myself, in that article I quote myself from 2014 explaining why we don't offer automatic autofill.

  • 1pwuser31547
    1pwuser31547
    Community Member

    @brenty @jpgoldberg
    Thanks so much for that information on “manual auto-fill”- very informative and reassuring!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Likewise, thanks for being as passionate about 1Password and security as we are. have a great weekend! :chuffed:

This discussion has been closed.