Forum Discussion
1Password Extension Hijack
Thank you for sharing, DreClark69!
Although, in my case, there are enough red flags that would raise my suspicion and cause me to pause (i.e., the request for the secret key and position of the fake 1P extension icon), there is no doubt that an exploit like this would have a high degree of success.
But as Tom indicated, User awareness of what you are downloading and installing is key! Yes, I have an Antivirus software but I still take precautions and am careful with what I download and install, because no software is perfect. In the end, if you choose to install malware/untrusted software, then it is purely on you.
2. Can an enhancement be made to prevent another extension from disabling the 1Password extension?
This, too, reminds me of some Antivirus software that do not allow you to simply shutdown the software. That is, you have to physically uninstall it and/or provide a shutdown password. If something like this were possible with browser extensions, then it would definitely help.
In the end, if you choose to install malware/untrusted software, then it is purely on you.
In the case of browser extensions hosted in a "store" and automatically updated (as they should be), there have been and will be cases of publishers selling their extension to a party which later intentionally adds malware or effectively repurposes the extension, and the automated scanning by the store fails to detect the change. There are various more innocent scenarios with similar results.
Ultimately the user is trusting the browser developer and packager/distributor, the extension "store" provider, and each of the current and future extension publishers. Practical mitigation options include configuring and turning off extensions until needed, along with using combinations of browsers, browser profiles, and Incognito/Private/etc. sessions suitable for each use case - all at increasing cost with complexity.
