Chrome extensions have access to 1password site

Hi. When accessing my account and passwords via a webpage on chrome (or any other browser for that matter), other third-party extensions may have access to that information on that page. Is this not a huge vulnerability of 1password? I was editing a password via the 1password chrome extension which opened up a webpage to achieve this. Suddenly I realised that all the other chrome extensions have access to this information. Is this true?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @JimmieDee! Welcome to the forum!

    When accessing my account and passwords via a webpage on chrome (or any other browser for that matter), other third-party extensions may have access to that information on that page.

    I am not sure I understand what you mean. What other third-party extensions are you referring to?

    Suddenly I realised that all the other chrome extensions have access to this information. Is this true?

    Do you have a screenshot that shows what you are seeing?

  • JimmieDee
    JimmieDee
    Community Member
    1. Open your 1password account in chrome.
    2. Go to one of your saved passwords - all the information is on the screen.
    3. The list of chrome extensions to the right of the address bar, e.g. adblock, onenote, Pinterest, Grammarly etc etc.... all have access to any displayed web page and the information shown on it. Move your mouse over one of the extensions and it will say "Has access to this site".

    Surely this is a security risk?

  • ag_ana
    ag_ana
    1Password Alumni

    @JimmieDee:

    Indeed, if you let other extensions access to your pages, you need to trust all those extensions. For example, in my browser I only have 1Password, but if you install other things, please make sure that you trust them: there is nothing that 1Password can do if you give other extensions access to your web pages.

    If you do not trust the other extensions (which seems to be the case here), I suggest using a separate Chrome profile with just 1Password: this way, you can continue using all your extensions, but 1Password would be running just in the other profile :+1:

This discussion has been closed.