Security of communication between WS and 1Password

adamziel
adamziel
Community Member
edited October 2015 in 1Password in the Browser

I noticed that Chrome extension talks to 1Password via a WebSocket. I figured out that 1Password will only allow the connection if it's a local one AND Origin header points to the extension. This seems like enough to prevent XSS attacks, however I have some concerns.

Let's imagine that a remote attacker is able to issue local requests with spoofed Origin header. How exactly? Doesn't matter. I can easily imagine that one day there will be a security issue with chrome that makes it possible to spoof Origin header. Or maybe I have some other software that, among other things, displays a part of some website in half-baked webview which allows spoofing Origin. The point is that there is no malware locally. Or if there is one, it has no admin priviliges.

There is no authentication after websocket is connected - why is that? Unless I'm missing something, anyone who can connect to that websocket can extract all my passwords. And securing it is so simple - do not allow connection unless an authentication string is passed. What authentication string? Maybe a master password, or maybe some per-session or temporary pin code. Just anything that would make it impossible to automate password-leeching.

If I'm right, then storing passwords in a plain-text file in admin home directory seem to be more secure since it's trivial to connect to http server and ask nicely about my passwords, but it's not trivial to perform a full-disk scan with admin priviliges and determine if any file contains any password.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: OS X
Sync Type: none

Comments

  • adamziel
    adamziel
    Community Member
    edited October 2015

    Luckily I was missing something - just found an answer in here: https://support.1password.com/mini-extension-security/

    "1Password mini actually checks the process ID of what is at the other end of the connection and then uses the OS X codesigning check that Gatekeeper uses to ensure that the application acting as a WebSocket client is really the official, digitally signed, browser"

  • littlebobbytables
    littlebobbytables
    1Password Alumni
    edited October 2015

    Hi @adamziel,

    Sorry we didn't get to your query earlier, we've got lots of people keen to hear from us at the moment and we're slowly making our way to each query. It looks like you've found an article that helped but if you still have questions do please ask or make sure we're aware that there are queries that are outstanding. Your security is important and we want you to feel comfortable about using 1Password.

    --Edit--

    I did delete the other thread as per your request :smile:

This discussion has been closed.