Not a dev on either product, but I use 1Password for my personal accounts, and a corporate LastPass for my work accounts. I do not believe that 1Password is as immediately vulnerable as LastPass.
LastPass (on Chrome) will auto-fill information on a detected site, which a malicious site can read immediately.
1Password (on Chromium nightly) requires me to hit the 1Password Mini button and select a site/account to log in with. If 1Password had a similar vulnerability, a malicious site as described would merely wind up showing me accounts for the wrong site in the dropdown. Clicking one could wind up submitting/leaking my credentials to the attacker, though.
It does have an "open and fill" feature which autofills, but only immediately after opening the site by URL first. (So the attacker's URL would have to be saved in 1Password along side your credentials.)
This is actually how I use 1Password most often. Global hotkey of cmd+opt+\, type a site name, hit enter: 1Password opens the site and logs in.
Why not take a look at the code injected by 1Password's browser extension and find out for yourself whether it handles URLs safely? That shouldn't be hard to do, and it's a lot healthier for the community than discouraging devs to participate by taking their presence as an opportunity for drive-by pot shots.
I'm sorry, but I don't see how asking an employee of the company that makes the product that I use every day is "discouraging devs to participate by taking their presence as an opportunity for drive-by pot shots".
I think an official word holds more clout and is more valuable than any one person confirming for themselves in one version of one browser on one version of one OS.
I did speak rather harshly in my prior comment, and for that I apologize. Worse, I did a very poor job of expressing the concern that motivated me to respond. But I think it's still fair to ask whether your initial comment has value.
I understand that, as a user of 1Password's browser extension(s), you may well feel some concern that a similar vulnerability exists, and I don't think it's unreasonable to want reassurance on that score.
But I think your phrasing and framing of the question feels a lot more like a "gotcha" than anything else, and it's that feeling which motivated my prior comment - I'm not an AgileBits dev myself, but if I were, I'd feel strongly inclined to shy away from that question rather than trying to frame an answer that doesn't leave me open to a potentially hostile followup.
Update: Here's the response from earlier this morning:
> Thank you for taking the time to write to us here at AgileBits. The current version of the 1Password extension does not use regex to parse URLs for this exact reason. We don't autofill either, which also helps avoid issues like the one you mentioned.
Fwiw, his question did not sound at all like that to me. Your reaction feels like unfair personal bias. Not trying to start a fight but you seem openminded enough to hear it so figured Id let you know
Not at all. But I would be interested to hear what sort of bias you saw in my prior comment. I mean, I don't think you're wrong, but beyond the downvotes, I only have my own perspective to go on here, and I'd appreciate the benefit of having yours as well.
Not the poster you replied to, but there were 2 types of bias I saw:
1: Defensiveness. It seemed more like an honest question than a pot shot. You seemed to read into it something like "Aha! How about your software fool!?!"
That said, if it were a reporter asking the question, then I would see it as a gotcha, because the use of the word confirm is used as a setup sometimes.
2: Tech bias. Not everyone on here is a Dev, and even though I know a fair bit about programming it would not be a trivial task to do what is simple for you regarding checking out code injections and what they do re a security standpoint. That would probably be a long afternoon of googling for me :)
Sure. I took the original question at face value: It was a user who was concerned and wanted reassurance. Imo, it's a big leap to read it instead as a setup for a hostile "gotcha" style followup. I mean, is it possible? Sure. But there's no evidence for that interpretation. And to take a stats view, the bayesian priors aren't there (ie, most people aren't conniving snakes). Given that, it seemed to me that you were bringing your own kind of evidence to the table -- perhaps a personal experience in which you'd been similarly setup and mistreated.
Also, just because we're on Hacker News, it doesn't mean every reader is equipped to audit code for security vulnerabilities.
Presumably that's the job of a professional security developer that might reasonably be expected to have checked their own similar product for this vulnerability...
Fair. I would, though, expect someone whose HN profile identifies him as an experienced full-stack engineer to be up to the challenge of spotting something as basic as an extension injecting code into untrusted DOM and trusting the results that code gives back.
See this pastebin[1] for the function I believe is determining the url of the active tab and if it has a valid hostname.
There's also this one[2] that seems to be extracting the hostname of a given url also using the URL API.
Both these pastebins contain minimized code that I've cleaned up.
0: https://developer.mozilla.org/en-US/docs/Web/API/URL
1: http://pastebin.com/tWns7XmG
2: http://pastebin.com/PXS1iqsq