security audit report (code review) #2
Description
I have voluntarily reviewed the files that could potentially contain backdoors or security issues.
#1
My methodology was to compare my own local 1password extension files which I have originally downloaded from 1Password website maybe more than year ago with files in this repo and inspecting the diff for any harmful things.
Here is my report:
injected.min.js - no diff other than a new line removed at the end of the file
global.min.js - same as above
ext/sjcl.js - same as above
manifest.json -
the extension key and update_url has been modified.
update_url old value -> https://cdn.agilebits.com/dist/1P/ext/autoupdate_chrome4.xml
update_url new value -> https://clients2.google.com/service/update2/crx
the new update_url belongs to google.
This might be potential security issue if you don't trust the author about future updates. Because the extension could get automatically updated - potentially with bad code from google's chrome store by the owner of private keys of this modified extension.
solution: remove key and update_url from manifest so that you disassociate the extension from the authors private key.
Otherwise looks safe, as the original one. With no weird changes.
It's still broken at this point.
I kind of wonder if it's possible to fix this on the browser extension side. It might be possible that the latest version of 1Password 7 desktop app contains code that denies the communication with browser extension. I have went a bit thought the code and it seems to me that it's trying to connect to the desktop app and fails with no reason provided by 1Password.
If someone has older desktop version they might try.
I might migrate from 1Password to Enpass though.