DataSpii - Should we be worried to use webvault with a bunch of Chrome extensions installed?

lengotengo

Hi. Happy customer here, you are great.

As saw in https://arstechnica.com/information-technology/2019/07/dataspii-inside-the-debacle-that-dished-private-data-from-apple-tesla-blue-origin-and-4m-people/ , some browser extensions are shady.

It has been known for a while, but this time I wonder if any of those "Read and modify all your data on websites you visit" things - on any Chrome extension - affects the privacy/security of 1Password on webvault or account information.

I've never installed any of the extensions mentioned in the report, but should I be worried that my email, master password , account key or saved passwords may be read or leaked by some evil extension on my browser? Are webvault data or 1Password account data on *.1password.com "leakable" via some common and generic extensions' permissions?

Thank you.

---

1Password Version: Not Provided
Extension Version: X-1.15.6
OS Version: ChromeOS 75.0.3770.129
Sync Type: Not Provided
Referrer: forum-search:read and modify data on

Ben

Hi @lengotengo

I would recommend caution before opting to install any browser extensions, and evaluating what permissions they are requesting to be sure it is appropriate/necessary. That said, the reason isn't so much 1Password.com. The bigger problem, and easier target, would be the ability for extensions which you've given this permission:

Read and modify all your data on websites you visit

To read passwords (and other data) out of websites as you input them. They can do this regardless if you utilize 1Password or not. Certainly most extensions are not malicious but it is worth carefully evaluating each before deciding to install it and grant such sweeping permissions.

Ben

lengotengo

Thanks for your response, Ben.
Just for clarification: can those extensions read what I type on my web vault on 1password.com? For example, when editing an item, updating master password or activating two-factor authentication.
Differently put: does 1password.com web vault (especially that first screen, with the master password input field) count as "website" in reference to that Chrome permission?
I ask this because I know every decryption is done on the machine, but I do not know if the fact of doing local encryption excludes it from the category of "website" regarding browser/extensions.
Cheers.

Ben

@lengotengo

Thanks for your response, Ben.

My pleasure.

Just for clarification: can those extensions read what I type on my web vault on 1password.com? For example, when editing an item, updating master password or activating two-factor authentication.
Differently put: does 1password.com web vault (especially that first screen, with the master password input field) count as "website" in reference to that Chrome permission?
I ask this because I know every decryption is done on the machine, but I do not know if the fact of doing local encryption excludes it from the category of "website" regarding browser/extensions.

The 1Password.com website does count as a web page for these purposes and as such extensions with these types of permissions do have the ability to read data from it. Our native 1Password apps (such as 1Password for Mac) as well as 1Password X are a different story.

Ben

lengotengo

The 1Password.com website does count as a web page for these purposes and as such extensions with these types of permissions do have the ability to read data from it. Our native 1Password apps (such as 1Password for Mac) as well as 1Password X are a different story.

I feel completely comfortable using 1Password products, and this is reassuring.

Just realised how worrisome extension permissions are. Thanks for opening my eyes.

It's time for me to uninstall some extensions, regenerate a key and change a bunch of passwords. Should take only a few minutes :-)

Cheers!

Ben

I feel completely comfortable using 1Password products, and this is reassuring.

Glad to hear it. :)

Just realised how worrisome extension permissions are. Thanks for opening my eyes.

It is definitely something to be aware of.

It's time for me to uninstall some extensions, regenerate a key and change a bunch of passwords. Should take only a few minutes :-)

Fortunately 1Password makes all of that relatively easy. :+1:

Ben

chriswayg

    Allow this extension to read and change all your data on websites you visit:
    [ ] On click
    [ ] On specific sites
    [*] On all sites

A lot of extensions have permissions to read and change all your data On all sites by default, which I was not even aware of.

Is there a way to set Chrome to read and change all your data On all sites except https://my.1password.com and https://my.bank.com, for example?

AGAlumB

@chriswayg: There is not. Similarly, as I think you're aware, the isn't a way to pick and choose which entitlements to accept when installing an extension. It's all or nothing. Perhaps that's something browsers will allow more granular control over in the future, but I kind of doubt it since it would not be user friendly -- or accessible -- to most people.

I can certainly appreciate that some extensions do legitimately need those abilities to do what's expected of them, but similar to apps on macOS which still want full disk access permission in the age of sandboxing when you or I may be unable to find any reason for it, many really don't need such broad permissions; it's more a remnant of a time when we were all less circumspect about this stuff. There are some growing pains with the crackdown, both with apps and extensions, but I'm glad that it's making everyone involved -- from developer to user -- more aware.

chriswayg

@brenty I have extensions that I trust with "All Sites" like Evernote, then I have extensions which only modify Gmail and usually only ask for access to Gmail like Bananatag. Some other extensions I can restrict to "specific sites" like restricting them to facebook.com and twitter.com. - But then there are many other extensions which are useful on all sites, but which should never have access to the 1Password webvault. Without an "all sites" excluding 1Password setting, I will not really use the Webvault in regular browser windows.

The problem is even worse in Firefox, as it only has one permission which is used by 2/3rds of my extensions: Access your data for all websites! - There is apparently no setting in Firefox to restrict permissions to specific sites as there is in Chrome.

The solution I came up with is to open https://my.1password.com in a Chrome Incognito Window in which all extensions are disabled by default, or to open it in a Private Window _in Firefox. (Starting with Firefox 67 extensions are not allowed to _Run in Private Windows by default, just like in Chrome). I have not explored the settings for Safari yet.

Would you recommend this as a current workaround, until the extension permission-settings of the browsers improve?

Another user suggested, to access Banking and other security sensitive browsing like password managers via a separate Firefox profile that has strictly zero add-ons.

chriswayg

@brenty I have extensions that I trust with "All Sites" like Evernote, then I have extensions which only modify Gmail and usually only ask for access to Gmail like Bananatag. Some other extensions I can restrict to "specific sites" like restricting them to facebook.com and twitter.com. - But then there are many other extensions which are useful on all sites, but which should never have access to the 1Password webvault. Without an "all sites" excluding 1Password setting, I will not really use the Webvault in regular browser windows.

The problem is even worse in Firefox, as it only has one permission which is used by 2/3rds of my extensions: Access your data for all websites! - There is apparently no setting in Firefox to restrict permissions to specific sites as there is in Chrome.

The solution I came up with is to open https://my.1password.com in a Chrome Incognito Window in which all extensions are disabled by default, or to open it in a Private Window _in Firefox. (Starting with Firefox 67 extensions are not allowed to _Run in Private Windows by default, just like in Chrome). I have not explored the settings for Safari yet.

Would you recommend this as a current workaround, until the extension permission-settings of the browsers improve?

Another user suggested, to access Banking and other security sensitive browsing like password managers via a separate Firefox profile that has strictly zero add-ons.

(my comment disappeared after editing,...)

AGAlumB

Ah, I hadn't really considered using incognito for that purpose, since I already make heavy use of profiles, but either could work, depending on the use case, to compartmentalize things to some extent, provided you haven't allowed a bunch of extensions to work in incognito mode. Good call! :)