Wednesday, March 2, 2016

1Password’s Cleartext IPC

Ross Hosman:

So it appears 1Password is sending data to the browser extensions over the loopback interface in clear text and not only passwords but credit card data as well if you use it for checkout forms. If anyone is sniffing your loopback they can get any data passing between the two.

nbadg:

They’ve made a risk/benefit analysis decision on handling IPC that it’s too difficult to secure, and that effectively any security for the IPC to browser would be 1) functionally meaningless to a targeted attack, like obfuscation, or 2) present undue burden to the people using the software. I’ll +1 their analysis (they also have several blog posts on the topic); makes sense to me. “Once an attacker has broken into your computer, it is no longer your computer.”

Jeffrey Goldberg:

Officially our view is “if a malicious process with user privileges is running on the users machine when they use 1Password, there is little we can do”.

But sometimes we try to do better. The example I raise is the steps we take to make things harder for keystroke loggers. We won’t go to extraordinary measures to enter a battle that we can’t win, but when there are simple things that we can do to make things harder for malware, we will.

Ross Hosman:

The reason I wrote this up is not to let people oh my god the world is ending but to let them know, hey if you are using the browser extension there is clear text passwords being sent over the loopback, if you don’t like that then don’t use their extensions.

You have made very well informed arguments about how hard it is to protect if someone has access to your machine, specifically elevated. But the argument to me seems kind of like “well, it’s hard to protect against then so we just decided to not do anything at all.” It seems like one other password manager company did something, so why wouldn’t you?

pfg:

You can’t read loopback as a normal user. If you have root, you don’t need to read unencrypted loopback traffic to get the passwords - just use a key logger.

Comments RSS · Twitter

Leave a Comment