This is the takeaway from this disclosure. Everyone using op should create a service account and expose only the secrets that need access via the CLI. That greatly decreases the attack surface.
This is the takeaway from this disclosure. Everyone using op should create a service account and expose only the secrets that need access via the CLI. That greatly decreases the attack surface.
And makes it invisible if you’re compromised in a supply chain attack.
The flip side would be, you install your dependencies, and one tries to run `op …` and you get a 1Password popup on your screen, which should surprise you because you didn’t run `op` yet. Supply chain attack mitigated (maybe).
With a service account there is no prompt and your secrets, though now more limited in scope, and exfiltrated successfully and silently.
Service accounts are definitely not the silver bullet. 1Password should just add more fine-grained permissions and prompting options to get closer to an ideal solution.
I agree with this. It would be nice if there was an option, per item in 1PW, that allowed a popup for access via the service account.