It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Forum Discussion
1Password Extension Hijack
I recently watched a video (see link below) where an unassuming Chrome extension could mimic the 1Password extension. It temporarily disabled the extension, changed its appearance to look like 1Password, required the end-user to put in their 1Password creds (including secret key), and then re-enable 1Password. This blew my mind. My questions are:
1. Is this possible?
2. Can an enhancement be made to prevent another extension from disabling the 1Password extension?
I've been a 1Password user since version 2 and use and recommend it faithfully. It would be phenomenal if changes could be made to continue making it an extremely secure platform.
https://www.youtube.com/watch?v=oWtR8vqbYX4
Regards
10 Replies
Okay this is a wake up call I needed.
The extensions 1password develops are such a pain in the ass for me.
Glad that the 1password team is all over it on the Random But Memorable podcast.I'm hoping that if I had MFA enabled as well, this attack would fail.
I guess the fact that I always login via 1password app and not chrome extension would hopefully save me from this attack.
Wildly concerning to see this type of exploit. I'm glad to see it posted and discussed on here. I'd love to know further information about how Agilebits could harden/secure the system, so that an exploit or mistake in Chromium wouldn't result in the same thing happening.
Yup, watched that YT video on this as well. I can't help to think that this is just sneaky enough to fool even experienced users. While I don't think I've seen this before with 1P, new versions of other extensions do sometimes force a clearing of cached credentials, logout, and prompt you enter them again.
I don't use Chromium-based browsers, but many do. We shouldn't be so quick to dismiss as to "Not 1P's problem" though. The browser plug-in ecosystem is where 1P lives --- that's where it's useful, and without that, I probably wouldn't be a subscriber. If there are adjacent risks, or threats within that same system, it would be foolhardy to not at least investigate and remediate. And maybe 1P has already looked into it -- and would be interested as well to hear what's being done.
Thank you for sharing, DreClark69!
Although, in my case, there are enough red flags that would raise my suspicion and cause me to pause (i.e., the request for the secret key and position of the fake 1P extension icon), there is no doubt that an exploit like this would have a high degree of success.
But as Tom indicated, User awareness of what you are downloading and installing is key! Yes, I have an Antivirus software but I still take precautions and am careful with what I download and install, because no software is perfect. In the end, if you choose to install malware/untrusted software, then it is purely on you.
2. Can an enhancement be made to prevent another extension from disabling the 1Password extension?
This, too, reminds me of some Antivirus software that do not allow you to simply shutdown the software. That is, you have to physically uninstall it and/or provide a shutdown password. If something like this were possible with browser extensions, then it would definitely help.
In the end, if you choose to install malware/untrusted software, then it is purely on you.
In the case of browser extensions hosted in a "store" and automatically updated (as they should be), there have been and will be cases of publishers selling their extension to a party which later intentionally adds malware or effectively repurposes the extension, and the automated scanning by the store fails to detect the change. There are various more innocent scenarios with similar results.
Ultimately the user is trusting the browser developer and packager/distributor, the extension "store" provider, and each of the current and future extension publishers. Practical mitigation options include configuring and turning off extensions until needed, along with using combinations of browsers, browser profiles, and Incognito/Private/etc. sessions suitable for each use case - all at increasing cost with complexity.
SquareX's article, Polymorphic Extensions: The Sneaky Extension That Can Impersonate Any Browser Extension goes into some detail and includes their video demonstration.
An important factor to consider in this case is that this is a clever and pernicious example of the consequences of a user installing malware on their computer, not an exploit of a vulnerability in the 1Password plugin, application, browser, or platform.
Browser plugins currently are a ripe area for exploitation of probably the largest and most important software platform, and protections are severely limited - usually to users exercising good judgement (and even then with imperfect ongoing results).
Assuming this would be possible (which I can't think of 'why not' - since there are tons of extensions that are unverified or broken for years) - I would be very concerned with ever being asked for my secret key. Given though, people might indeed just do this, so some kind of user awareness is key.
I'm actually never unlocking via the extension, I always unlock the app (thus unlocking the extensions) but I can see that not being too common.
While I see (and share) your concern I think this is more to do with the browsers than the creators of the extensions, but maybe pushing for some kind of additional verification would be in order (though looking at the play store and all, very unlikely).
Hoping the 1P team has a great insight in this!
Btw, very nice to meet a fellow long-time user :)
That’s pretty concerning! Browser security gaps like this are scary hopefully, 1Password can add protections to prevent extension tampering.
Big yikes. Also interested to hear how AgileBits can harden 1P against this type of attack.
