This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

FF/Safari Browser plug-in exposure?

This has probably come up before, so my apologies if I'm being repetitious. When I visit a web site that has a user/password field and I click the 1P button on Firefox or Safari, the plugin will immediately tell me whether or not I have a password saved for the site - [b]even if I'm not signed into 1Password![/b] In the Chrome plugin, I am asked to provide my 1Password master password, even if there are no passwords saved for the site.



I believe the fact that the FF and Safari plugins are telling a non-authenticated user that there IS or ISN'T a password for a particular site is an exposure. This reveals to a potential hacker that they should target a site, since that 1P user DOES have a presence there. For example, if a hacker gets ahold of my laptop, visits Acme Bank & Trust, punches the 1P button and sees that I have a signon there, he now knows that I most likely have an account at Acme and that he should target that site. With the Chrome plugin, the only way Mr. Hacker knows I have a signon there is if he already knows my 1Password master PW, and the exposure there is obvious...



Is there any plan to modify the FF and/or Safari plugins to behave more like the one for Chrome?



thanks...

Comments

  • Ben
    Ben AWS Team
    [quote name='wfseube' timestamp='1307628651' post='28797']

    This has probably come up before, so my apologies if I'm being repetitious. When I visit a web site that has a user/password field and I click the 1P button on Firefox or Safari, the plugin will immediately tell me whether or not I have a password saved for the site - [b]even if I'm not signed into 1Password![/b] In the Chrome plugin, I am asked to provide my 1Password master password, even if there are no passwords saved for the site.



    I believe the fact that the FF and Safari plugins are telling a non-authenticated user that there IS or ISN'T a password for a particular site is an exposure. This reveals to a potential hacker that they should target a site, since that 1P user DOES have a presence there. For example, if a hacker gets ahold of my laptop, visits Acme Bank & Trust, punches the 1P button and sees that I have a signon there, he now knows that I most likely have an account at Acme and that he should target that site. With the Chrome plugin, the only way Mr. Hacker knows I have a signon there is if he already knows my 1Password master PW, and the exposure there is obvious...



    Is there any plan to modify the FF and/or Safari plugins to behave more like the one for Chrome?



    thanks...

    [/quote]



    This is a fair point, and we are working to sync the look and functionality of all of our browser plugins. That being said, if an attacker is able to get your computer, and login to your OS X account, you probably have bigger concerns. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/wink.gif' class='bbc_emoticon' alt=';)' /> Physical and account security is still important, even with 1Password.
  • [quote name='bwoodruff' timestamp='1307632176' post='28799']

    This is a fair point, and we are working to sync the look and functionality of all of our browser plugins. That being said, if an attacker is able to get your computer, and login to your OS X account, you probably have bigger concerns. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/wink.gif' class='bbc_emoticon' alt=';)' /> Physical and account security is still important, even with 1Password.

    [/quote]



    Heh. Good point, Ben. I guess I was thinking more about a casual walk-by, but I could engage auto-lock to fight that one.



    Thanks for the response. I hope the Chrome plugin is the model for your sync work...I prefer it to the plugins for the other browsers.
  • khad
    khad Social Choreographer
    This is the direction things are headed. You might also enjoy our recent "[url="http://blog.agilebits.com/2011/04/looking-ahead-in-security/"]Looking Ahead in Security[/url]" blog post about changes to the data format which are directly related to your question.



    There are issues of privacy and there are issues of security. We take both seriously. Please let me know if you have any additional questions or concerns.