Security Problem with Chrome Extension?

Can someone explain to me how this extension -- in its current form -- is not a ***MASSIVE SECURITY HOLE***? (relative to 1Password's master password security)

If someone gains access to my computer, all that person would have to do is:
1) install google chrome extension
2) go to my bank website
3) voila, access. (*without* having to enter my 1Password master password)

I immediately uninstalled the extension once I realized the threat that the extension exposed. But that doesn't prevent someone else from reinstalling the extension. No?

Comments

  • JayBarceloJayBarcelo Junior Member
    Can you elaborate more?
  • The current chrome extension recognizes web pages for which 1password has credentials. Then, with a push of the button, populates the user/password info.

    This makes access convenient, but completely breaks the intended security functionality (password protection) built into the full 1Password client - the standalone application.
  • khadkhad Social Choreographer

    Team Member
    Hi regulator,

    Welcome to the forums! :-)

    The Chrome extension prompts you for you master password if your 1Password keychain is locked just as our other browser plugins do:
    Screen%20shot%202010-10-01%20at%205.50.40%20PM.png

    It displays no information if the master password is not entered correctly:
    Screen%20shot%202010-10-01%20at%205.50.56%20PM.png

    Please check your 1Password security preferences to make sure your keychain is locking as you expect it to (i.e. after [X] minutes of inactivity, when sleeping, when screen saver is activated). You might also want to investigate our unlocking options:

    Disable automatic unlock for 1Password: you will be asked for master password every time you launch 1Password application. The main application will not be unlocked when you type the master password in the browser.

    Disable automatic unlock for all applications: you will need to type the master password separately in 1Password and Safari (and other browsers). By default unlocking 1Password unlocks all browsers.

    I hope that helps.

    Cheers!
  • Sorry. False alarm.

    Thanks, khad.
  • khadkhad Social Choreographer

    Team Member
    No problem.

    You can rest assured. We've got your back. :-D
This discussion has been closed.