Malicious Chrome Permission? – Modify Data You Copy and Paste

Hi Guys,

A Chrome extension I use "Redefined GitHub" recently asked for additional permissions – "Modify Data You Copy and Paste". Given that the 1Password Chrome extension copies passwords when used, should I be worried about this extension, or any others with these permissions, having access to my passwords when copied?

Should we disable extensions with "modify data you copy and paste" permissions? The full details can be seen on Google's page under "Low Alert" here:

https://support.google.com/chrome_webstore/answer/186213?hl=en

Thanks!


1Password Version: 6.7.1
Extension Version: 4.6.6.90
OS Version: 10.11.6
Sync Type: Dropbox

Comments

  • Hi @billaddison,

    When you fill using a Login item it doesn't use the operating system clipboard, instead injecting directly into the field. As far as I can tell the precise permissions being requested are clipboardRead and clipboardWrite based on the text you provided and if so the extension can't use directly these to sniff on 1Password.

    With that said, every extension has access to the page that is open. This means you should always be careful of what extensions you have installed as this is something any extension can do without asking for permission. Sadly it means instead of worrying about extensions with the permission you're asking about you really need to worry about any extension you install.

    The intent isn't to scare but to ensure I don't mislead you by simply saying it's okay and offering a false sense of security regarding extensions in general.

  • Ok so just a couple more questions to clarify:

    If every extension has access to the page that is open, does this mean that potentially any extension can read passwords from inputs, whether injected by 1p or manually typed?

    If we use the "copy" feature from the 1p extension does this copy the password to the operating system clipboard and therefore make it accessible to extensions with copy/paste access?

    Just want to be sure. Feel like I should disable all extensions.

  • Hi @billaddison,

    You are correct on both counts. Any installed extension can "see" what our extension does to the fields on the page. Other extensions won't be able to see your vault in any sense, just like even our own extension does not but a malicious extension could over time learn a lot. This is of course true regardless of whether you use 1Password or not.

    The copy feature in 1Password does use the clipboard so the contents would be accessible to this extension. Now there could well be limitations on the extension. Even though it seems it can read and write it probably cannot tell when the clipboard contents change without constant requests. It would seem more likely that a well behaved extension would probably only look at the contents when you attempt to use the extension but I say this without any knowledge or experience of the extension in question.

    I would say you want to approach extensions with the same mind as you would about installing an application on your computer. An extension cannot do the same damage but given how much of what we do occurs in a browser it is a valuable source of information and so caution is wise.

    I hope this helps.

This discussion has been closed.