{"id":50652,"date":"2026-01-07T15:43:38","date_gmt":"2026-01-07T20:43:38","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=50652"},"modified":"2026-01-22T16:52:52","modified_gmt":"2026-01-22T21:52:52","slug":"1password-browser-extension-code-injection","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2026\/01\/07\/1password-browser-extension-code-injection\/","title":{"rendered":"1Password Browser Extension Code Injection"},"content":{"rendered":"

Claudio Wunder<\/a> (Hacker<\/a> News<\/a>):<\/p>\n

\n

Any Engineer at @1Password here? Your Chrome Extension seems to recently started breaking HTML from certain pages. For example, the Node.js website<\/a> code snippets break when 1Password Extension is enabled.<\/p>\n<\/blockquote>\n\n

Evan You<\/a>:<\/p>\n

\n

1Password browser extension is injecting Prism.js<\/tt> globally<\/em> on every page, which then applies its syntax highlighting logic on all <code><\/code> blocks matching [lang=*]<\/code> regardless of whether it’s meant to be compatible, thus breaking original highlighting.<\/p>\n<\/blockquote>\n\n

As I’ve said, I dislike this whole architecture where you need a browser extension that can read and write to the page in order to enter your password. I would hope that as little code as possible is injected and that it’s all been vetted by 1Password, not just pulled down as a dependency.<\/p>\n\n

1Password<\/a>:<\/p>\n

\n

We’re aware of an issue in recent versions of the 1Password browser extension that can interfere with syntax highlighting on some pages.<\/p>\n

The team is actively working on a fix. We don’t have a timeline to share yet, but keeping the extension up to date will ensure you receive it once it’s available.<\/p>\n<\/blockquote>\n\n

Robert Menke<\/a>:<\/p>\n

\n

Sorry this bug slipped through our release process. I just raised this issue again in our internal Slack. We are working on getting a fix out.<\/p>\n

[…]<\/p>\n

The fix has already been merged into our main branch. We’ll be putting out a release with just this fix. I’m hoping to have it submitted to the browser extension stores today [December 30].<\/p>\n<\/blockquote>\n\n

It’s unclear to me whether this is fixed. The latest Mac version<\/a> still seems to be 8.11.22 from December 9. When I go to the page for the browser extension<\/a> and click “what’s new” it takes me here<\/a>, which is a release from December 30 that talks about passkeys and then says only:<\/p>\n

We’ve made general improvements and fixed various bugs for a better 1Password experience.<\/p><\/blockquote>\n\n

I don’t see anything on the announcements page<\/a> or Twitter<\/a>.<\/p>\n\n

Christina Warren<\/a>:<\/p>\n

\n

I’m glad @1Password is taking this seriously now. But this issue was reported on their community forum<\/a> and to their engineers weeks ago in beta and was not prioritized as a fix until it went viral here. Every company is guilty of this kind of triage, but this is a process failure as much as it is a testing one.<\/p>\n<\/blockquote>\n\n

sheng<\/a>:<\/p>\n

\n

really hoping to read a postmortem on this one<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n