1Password Extension Hijack

SquareX's article, Polymorphic Extensions: The Sneaky Extension That Can Impersonate Any Browser Extension  goes into some detail and includes their video demonstration.

An important factor to consider in this case is that this is a clever and pernicious example of the consequences of a user installing malware on their computer, not an exploit of a vulnerability in the 1Password plugin, application, browser, or platform.

Browser plugins currently are a ripe area for exploitation of probably the largest and most important software platform, and protections are severely limited - usually to users exercising good judgement (and even then with imperfect ongoing results).

Assuming this would be possible (which I can't think of 'why not' - since there are tons of extensions that are unverified or broken for years) - I would be very concerned with ever being asked for my secret key. Given though, people might indeed just do this, so some kind of user awareness is key.

I'm actually never unlocking via the extension, I always unlock the app (thus unlocking the extensions) but I can see that not being too common.

While I see (and share) your concern I think this is more to do with the browsers than the creators of the extensions, but maybe pushing for some kind of additional verification would be in order (though looking at the play store and all, very unlikely).

Hoping the 1P team has a great insight in this!

Btw, very nice to meet a fellow long-time user :)

That’s pretty concerning! Browser security gaps like this are scary hopefully, 1Password can add protections to prevent extension tampering.

Big yikes. Also interested to hear how AgileBits can harden 1P against this type of attack.