Summary
A communication channel used between browsers (including browser extensions) and desktop applications, known as Native Message Host (NMH), is susceptible to spoofing (or impersonation attacks) by a malicious actor that has local access to a user’s device. This issue stems from browser limitations with Chromium-based browsers (for example, but not limited to: Chrome, Edge, Brave, and so on.) and the Firefox browser. It can’t be resolved because third-party desktop applications communicating with browsers, including 1Password, are unable to detect if a browser is being controlled by malware, and thus verify the browser authenticity. There is no alternative or more secure technology provided.
Who is affected
1Password 7 and 8 desktop applications utilize NMH to communicate with the 1Password browser extension for Chromium-based browsers and Firefox.
The reported issue is classified as a “local attack,” which means a malicious actor would need to gain access to an end user’s computer before they could exploit the issue. This would require malware, for example, to be installed on the user’s computer. The possibility of local attacks, such as malware, is a risk not just for password managers but for all software.
Recommended action
The 1Password browser extension and desktop apps use the most secure technology available, with the highest channel integrity. Users should consider the security and usability trade-offs when using the 1Password browser extension with the 1Password desktop application.
For macOS users who are concerned about this issue relating to the security of their device, 1Password has implemented product changes as of 8.10.38 (August 2024) that allow macOS users to turn off Connect with 1Password in the browser from desktop app Settings in the Browser tab. This version enables settings integrity and settings tamper detection features, including enforcing new secure defaults should settings be unintentionally reset; these secure defaults include setting Connect with 1Password in the browser to off.
Turning off this connection will impact the user experience and usability of the 1Password browser extension. Biometric unlock for the browser will be disabled, requiring users to type their password manually into the browser, which could be a security risk. Users will also lose the ability to keep the extension unlocked when the browser quits.
Due to platform security feature limitations, a similar option is not currently available on Windows and Linux. We are actively working on additional protections to make sure that malicious actors will not be able to re-enable the connection across all supported platforms once a user has turned it off after tampering.
If you are a 1Password customer with questions about your deployment, contact security@1password.com.
Impact and Exploitability
Chromium-based browsers and Firefox are susceptible to impersonation attacks through the Native Messaging component, which allows compromising existing NMH binary security checks. No integrity checks exist to make sure that the helper process is talking to a particular browser extension inside the browser. A malicious actor would need to gain access to an end user’s computer and run malicious software on the computer, specifically targeting both the affected browser and 1Password desktop app.
Commentary
Robinhood’s Red Team initially disclosed this issue to us as part of their independent research specific to local attacks on 1Password 8 for Mac. It was reported as “Browser Support getppid Bypass”; this naming is based on the specifics of the researchers' exploit method on macOS. 1Password security and development teams determined that the underlying root cause of the issue was the NMH technology used in communications between browsers and desktop applications. How this issue is exploited will vary based on the operating system, so we adjusted the naming to reflect its potential impact better.
We want to be able to do everything we can to protect data from local threats. On our blog, we discussed what we can and can’t do locally on devices. Unfortunately this is an example of a local threat that we cannot do anything about today. We will continue to be vigilant about protecting our apps and users against this style of attack, and will look for future enhancements to improve on this feature.
Thank you to Robinhood’s Red Team for responsibly disclosing this issue to us and allowing us to protect our users. For more information about the Robinhood Red Team’s findings, refer to our blog.