Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Security issue or 'feature': Browser extension auto login into management console
Hi there,
I found out that when you use the browser extensions of 1PW and go into settings > Integrations > Manage Integrations > manage it does automatically login into your web vaults management interface (without any additional password and without entering any credentials (even when all browser cookies where delete before).
At this point the extension must send the encryption key to the JS that was supplied by the server. (isn't this an RCE vulnerability on client side?).
And overall this is kind of a big security issue in my point of view because you directly get access to every management part of your whole account (even the other members section and so on).
Why not closing this big hole and make it as an option or put some password prompt there?
5 Replies
Replies have been turned off for this discussion
- 1P_Dave
Moderator
Please see my responses in this thread regarding Travel Mode and what it can (and can't) protect against: Travel Mode - Security Key (and saved within iOS/macOS iCloud Account?! | 1Password Community
I've closed this thread as a duplicate.
-Dave
Hope to get some more feedback here.
Edit:
Especially for all those users who are using the travel mode - see closed topic here:The travel mode is kind of useless as everyone looking at your travel mode also has full access to your account.
- 1P_Dave
Hello dragon1! 👋
Thanks for taking the time to share your concerns, I appreciate you looking closely at how this works. What you’re seeing is an intended feature, not a security vulnerability. The 1Password browser extension can sign you into 1Password.com because you’ve already authenticated and unlocked the extension. This reduces friction while maintaining the same underlying security guarantees.
A few clarifications:
- The extension must already be unlocked, which requires successful authentication (with both your account password and Secret Key) and unlock (with your account password, biometrics, etc.).
- Communication between the extension and 1Password.com uses secure, well-defined mechanisms.
- This is not remote code execution (RCE); no untrusted code is executed locally.
- The web session is derived from your already-authenticated extension session, it does not bypass authentication.
If someone can unlock your 1Password extension, they already have full access to your account. Automatically signing you into 1Password.com doesn’t grant any additional access; it simply reuses the existing authenticated session in that browser.-Dave
how could this be the solved solution??
Please response concerning the high security issue with travel vaults. They're completely useless if everyone with access can just access the other vaults?!
I really don't get it, why you say that there is any benefit in using travel vaults? More or less everyone expects that they are secured and only their travel vault is visible to 3rd party people - this is not true!
Thanks for your feedback. But why not putting a password in front of it? When clicking on the 1Password Vault there it also asks for my password. Why making a difference if it is 'secure'?
