1Password Extension Hijack

Yup, watched that YT video on this as well. I can't help to think that this is just sneaky enough to fool even experienced users. While I don't think I've seen this before with 1P, new versions of other extensions do sometimes force a clearing of cached credentials, logout, and prompt you enter them again.

I don't use Chromium-based browsers, but many do. We shouldn't be so quick to dismiss as to "Not 1P's problem" though. The browser plug-in ecosystem is where 1P lives --- that's where it's useful, and without that, I probably wouldn't be a subscriber. If there are adjacent risks, or threats within that same system, it would be foolhardy to not at least investigate and remediate. And maybe 1P has already looked into it -- and would be interested as well to hear what's being done.

Thank you for sharing, DreClark69!

Although, in my case, there are enough red flags that would raise my suspicion and cause me to pause (i.e., the request for the secret key and position of the fake 1P extension icon), there is no doubt that an exploit like this would have a high degree of success.

But as Tom indicated, User awareness of what you are downloading and installing is key!  Yes, I have an Antivirus software but I still take precautions and am careful with what I download and install, because no software is perfect.  In the end, if you choose to install malware/untrusted software, then it is purely on you.

2. Can an enhancement be made to prevent another extension from disabling the 1Password extension?

This, too, reminds me of some Antivirus software that do not allow you to simply shutdown the software.  That is, you have to physically uninstall it and/or provide a shutdown password.  If something like this were possible with browser extensions, then it would definitely help.

SquareX's article, Polymorphic Extensions: The Sneaky Extension That Can Impersonate Any Browser Extension  goes into some detail and includes their video demonstration.

An important factor to consider in this case is that this is a clever and pernicious example of the consequences of a user installing malware on their computer, not an exploit of a vulnerability in the 1Password plugin, application, browser, or platform.

Browser plugins currently are a ripe area for exploitation of probably the largest and most important software platform, and protections are severely limited - usually to users exercising good judgement (and even then with imperfect ongoing results).

Assuming this would be possible (which I can't think of 'why not' - since there are tons of extensions that are unverified or broken for years) - I would be very concerned with ever being asked for my secret key. Given though, people might indeed just do this, so some kind of user awareness is key.

I'm actually never unlocking via the extension, I always unlock the app (thus unlocking the extensions) but I can see that not being too common.

While I see (and share) your concern I think this is more to do with the browsers than the creators of the extensions, but maybe pushing for some kind of additional verification would be in order (though looking at the play store and all, very unlikely).

Hoping the 1P team has a great insight in this!

Btw, very nice to meet a fellow long-time user :)

That’s pretty concerning! Browser security gaps like this are scary hopefully, 1Password can add protections to prevent extension tampering.

Big yikes. Also interested to hear how AgileBits can harden 1P against this type of attack.