1Password真的安詳嗎?1Password是一個(gè)奇特的暗碼打點(diǎn)器并支持大大都Web欣賞器。可提供反垂綸掩護(hù)成果和暗碼打點(diǎn)成果,并具有自動(dòng)生成強(qiáng)暗碼成果。所有的機(jī)要資料:包羅暗碼,身份卡和信用卡,都是生存在一個(gè)安詳?shù)奶幩:M獍苍斞芯咳藛T發(fā)明它的歷程通過(guò)127.0.0.1直接socket傳輸
TL:DR
1Password sends your password in clear text across the loopback
interface if you use the browser extensions.
Note: Running Mac OSX 10.11.3, 1Password Mac Store 6.0.1, Extension Version 4.5.3.90 (Chrome)
Last night i spent some time actually reviewing what was running on my system and what ports things were listening on when I saw that 1Password was listening to multiple ports on the loopback interface.
mango:~ ross$ lsof -n -iTCPCOMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
2BUA8C4S2 631 ross 12u IPv4 0x507c280b7bcfe03d 0t0 TCP 127.0.0.1:6258 (LISTEN)
2BUA8C4S2 631 ross 13u IPv6 0x507c280b75c30955 0t0 TCP [::1]:6258 (LISTEN)
2BUA8C4S2 631 ross 14u IPv4 0x507c280b7bcfd735 0t0 TCP 127.0.0.1:6263 (LISTEN)
2BUA8C4S2 631 ross 15u IPv6 0x507c280b75c2e3b5 0t0 TCP [::1]:6263 (LISTEN)
2BUA8C4S2 631 ross 18u IPv4 0x507c280b7fd6603d 0t0 TCP 127.0.0.1:6263->127.0.0.1:49303 (ESTABLISHED)
2BUA8C4S2 631 ross 25u IPv4 0x507c280b9e36b24d 0t0 TCP 127.0.0.1:6263->127.0.0.1:56141 (ESTABLISHED)
This got my curious as I wasn’t running any server feature (the Wi-Fi server feature) or anything like it so I decided to sniff the traffic and use 1Password to see if anything happened.
tcpdump -i lo0 -s 65535 -w info.pcap
Once i had a bit of data, I imported it into Wireshark and saw the following stream.
If you follow that stream you can see the following in clear text if you fill a website username/login field with 1Password.
~..{“action”:”executeFillScript”,”payload”:{“script”:[[“click_on_opid”,”__1"],[“fill_by_opid”,”__1",”<username>”],[“click_on_opid”,”__2"],[“fill_by_opid”,”__2",”<password>”]],”nakedDomains”:[“ycombinator.com”],”documentUUID”:”9983220DB43B058611F22F8542E8D72C”,”autosubmit”:{“focusOpid”:”__2",”helper-capable-of-press-enter-key”:true,”submit”:true},”properties”:{},”fillContextIdentifier”:”{”itemUUID”:”D21FD2D7D188424CA2FDDB137F59AFCE”,”profileUUID”:”FF2D2B2B4B904F28A4B891EE35B9903E”,”uuid”:”BD67065A938647C3AE7108F6C11032B9”}”,”options”:{“animate”:true},”savedUrl”:”https://news.ycombinator.com/x?fnid=xxxxxxxxxxx”,”url”:”https://news.ycombinator.com/x?fnid=xxxxxxxxxxx”},”version”:”01"}
So it appears 1Password is sending data to the browser extensions over the loopback interface in clear text and not only passwords but credit card data as well if you use it for checkout forms. If anyone is sniffing your loopback they can get any data passing between the two. I haven’t dug into it much more than that as things are a bit hectic.
I also looked at Dashlane and how they did this type of communication and everything was encrypted. I have not checked out Safe-in-Cloud or Enpass.
Note: I reached out to agilebits via their email, they didn’t have a security email but they have a standard support email [email protected], which tells you that you can email [email protected] for urgent issues. I emailed both not too long ago and would call them but they hide their whois info and don’t provide it on their website. They really really really want you to use their support forum.
Since this deals with people’s passwords, is a local to the device issue and is so easy to do I thought quick disclosure would be a good idea so people can decide whether or not to disable the browser extensions.
Update (3/2/2016 11:39 pm MST): I’d like to add a note, I’m not saying don’t used 1Password and I’m not saying this is a massive security issue. I was simply telling people so they knew. I’m a bit surprised about some of the 1Password responses about how this was already known.
From 1Password’s own website:
“Theconnection between 1Password mini and the browser extension is
authenticated and secure.”
You can read further on their link here where they do put caveats and say that if someone has root on the system they basically can’t protect you. Which is true, but I feel they should make it a little harder then tcpdumping out the loopback interface. They feel whatever they do can just be undone by an attacker, I think maybe something is better than nothing.
I think it has been a good discussion on both sides. I have learned to be a lot more clear and include a lot more details in the future. The 1Password team seems like a great group of people.
Side note: Dumped out Safeincloud’s stuff, it looks like they encrypt or obfuscate the fields
,