Cross-App Resource Access (XARA)

13

Comments

  • jasnw
    jasnw
    Community Member

    So, from what I read from Agilebits and on other Mac forums it's starting to sound like we are now safer picking long passwords that we can remember (0hitheresailorhowareyoutoday_9) and writing them down on a piece of paper than any approach that requires getting the information from one electronic source (1Password, cut-and-paste from a file, Keychain, internal browser password lists, etc) into a browser. If this issue isn't sorted out, and sorted out very clearly and openly, very soon people will stop buying apps like 1Password and will no longer trust the Apple Store.

  • kohls
    kohls
    Community Member

    I'm quite distressed about all these security issues. I copied all my data from 1Password to a folder on my desktop which I plan to move to an encrypted disk. I deleted 1Password from all my devices except my MacBook Air and turned on File Vault. My 1Password Vault is now empty except for a login page I am using to generate passwords. I didn't just delete my logins; I removed the info in each field individually and hit save before I moved each item to the trash. I suppose I could have just moved everything to the trash as it was, but I noticed that I could still use the items in the trash to log in without restoring them, and I wasn't feeling secure about deleting them with all the info intact. I've changed all the passwords for sites with sensitive information and turned on two-step verification for everything where it was available. Apple is making me wait 2 more days (hope no one is out there buying out the store with my Apple ID), but after that, I hope my Apple ID will be safe - or at least safer. It seems that nothing is really safe these days!

  • danco
    danco
    Volunteer Moderator

    My own thinking is that I will no longer assume that an app from the App Store is safe, and I won't rely on good reviews from sources I trust. For any new apps (from the App Store or elsewhere) I will at present only get them when I know something of the developer's past history.

  • sandymc
    sandymc
    Community Member

    @khad

    Getting a user to install malicious software is required in both cases. 1Password itself does not run as admin in a normal user account.

    Yes, but assuming default settings, etc, one case requires a Admin password be entered, the other doesn't. Huge difference for the average user.

  • AGAlumB
    AGAlumB
    1Password Alumni

    That's a little disingenuous. An app that could replace 1Password would need to be privileged. And very sophisticated to escape detection. As I understand it, the WebSockets exploit can be done by an unprivileged app, which is what makes it so dangerous.

    @sandymc: Not at all. The OS X Keychain exploit allows any unprivileged app to create Keychain items with the target app's ID, which the target then inherits, allowing the malware to impersonate it.

    It looks like that Apple has NO fix at the moment. I'm worried have all my private info stored.

    @peterstampfli: Your private information is safer being encrypted with 1Password than without, as malware infecting your computer would be able to read any unencrypted data without any effort.

    I was just wondering whether the xara-leaks on iOS and OSX have any bad effects on the 1password app. Is the app in any way less safe because of this leak?

    @Friedrich: There haven't been ay 'leaks' as one might see in a security breach of a web service, since your 1Password data is stored on your computer, not on a central server. And even if you do store your data in iCloud or Dropbox, these services do not have your Master Password to decrypt it. The XARA vulnerability requires you to install and run a malicious app on your computer, which would expose unencrypted information on your computer regardless of your use of 1Password.

    what are the next steps to prevent somebody steeling my authentication tokens, usernames and/or passwords?

    what possibly can i do to prevent this?

    @Bit_Hunter_2015: You can prevent this by not installing unknown apps from untrusted developers. Also, 1Password does not make use of authentication tokens. Usernames and passwords can only be stolen from the 1Password browser extension if you first 1 run malware which exploits this vulnerability, 2 restart 1Password mini (which gives the malware the opportunity to impersonate mini), and 3 save login information using the browser extension (which give the malware access to the data before it is encrypted).

    "Specifically, keychain credentials for high-profile services (e.g. iCloud, Gmail, Google Drive, Facebook, Twitter, LinkedIn, etc.) and any web accounts in Google Chrome are completely exposed. ..."

    @WEB: While technically true (given all the requirements for the exploit are met -- installation, execution, etc.), it concerns me that less tech-savvy users may be misled by this phrasing to assume that this will happen spontaneously, when in fact the malware needs the user's help to allow any of this to take place.

    My own thinking is that I will no longer assume that an app from the App Store is safe, and I won't rely on good reviews from sources I trust. For any new apps (from the App Store or elsewhere) I will at present only get them when I know something of the developer's past history.

    @danco: Indeed, this will have a chilling effect for many of us when it comes to installing new apps for quite some time, even when Apple has a solution which prevents malicious apps from being approved or from impersonating others in OS X. But I have no doubt that Apple is on the case.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited June 2015

    TL;DR:

    Any app can be impersonated by malware on OS X, not just 1Password. However, since 1Password encrypts your data, malware cannot access it merely through impersonation (as it can with app data that is not encrypted); it also needs to spy on you to steal data as you access it (by communicating with the browser extension as "1Password mini"). So there are a number of layers to this which are needed to accomplish this exploit.

    *It's important to note the distinction between the Keychain which is part of OS X and the Agile Keychain format which 1Password uses.

    What you can do:

    Only install apps from trusted developers. If you don't install and run malicious code on your system, you're safe from these exploits.

  • sandymc
    sandymc
    Community Member

    @brenty

    The OS X Keychain exploit allows any unprivileged app to create Keychain items with the target app's ID, which the target then inherits, allowing the malware to impersonate it.

    Well, you may have access to unpublished information, but that is NOT a claim that the research paper makes. Keychain items (userid/passwords, etc) can be created by a malicious app that a "real" App might inherit (if it's badly written, and doesn't check for that). As a result, the malicious app (as creator) will have access to the item, and can read it. However there is no indication in the paper, or any mechanism that I'm aware of, that could allow a the creation of a Keychain password to impersonate an app. Specifically, the described exploit in the paper is of obtaining a Facebook password. Keychain passwords pay no role in application identity under OS X.

    Applications can be impersonated (in the sense of a malicious app obtaining access to their "sandbox", etc) via the "BID conflict" vulnerability described later in the paper, but that is unrelated to the Keychain problem. Fortunately, I would think that the BID conflict vulnerability would be less of an issue to 1Password as (I hope) 1Password is not reliant on the sandbox to maintain password security.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited June 2015

    Applications can be impersonated (in the sense of a malicious app obtaining access to their "sandbox", etc) via the "BID conflict" vulnerability described later in the paper, but that is unrelated to the Keychain problem. Fortunately, I would think that the BID conflict vulnerability would be less of an issue to 1Password as (I hope) 1Password is not reliant on the sandbox to maintain password security.

    @sandymc: Correct. My intention was to present the sections of the paper that addressed the specific questions of those in this thread, so there was — admittedly — a number of separate issues in close proximity. I'm sorry for any confusion I caused.

    @sandymc I think you're overstating the difference made by requiring an admin password to be entered. Most users that have access to this password will readily enter this without thinking twice, if presented with a familiar dialog box, which isn't all that hard to do for malware.

    @sindarina: This is a good point. I'll admit to doing this by rote myself at times... :unamused:

    Fortunately I've found that the longer I make my password the more time I have to think before by fingers decide for me. ;)

    @brenty Have you folks at Agile Bits actually seen proof of the malicious apps that the researchers supposedly submitted to the App Store, and got past the review process? The paper claims they did this, and then removed them to avoid endangering users, but seems rather light on the details beyond that. The 1P video example uses a fake app that seems very unlikely to be something that made it past the review, but maybe I missed something?

    (Un)fortunately we have. We've been in contact with the researchers, and as far as I can say, the research is legitimate. I do, however, feel that the presentation has been both confusing and misleading in a number of ways — although I don't believe this is intentional. Often those with a technical and/or academic background can overlook the way that the average person may interpret things they say. After all, this is not their target audience. And on the other hand, those in the media may not have the technical background to fully understand these findings, or when they do they may have similar blind spots to those in academia when it comes to presenting this information to the public at large.

  • Mel Stricker
    Mel Stricker
    Community Member

    This may have already been answered, if so I apologize in advance. In the text above under 'What you can do'.

    It states that we are to keep the 1P Mini running because the exploit can take advantage at launch time. Does this mean I should not boot my machine since booting causes the mini launch?

  • hawkmoth
    hawkmoth
    Community Member
    edited June 2015

    I thought this article gave some rational comments, especially in light of the rather extreme things being said elsewhere in the public forums. It's clear, concise, and written in laymen's terms.

    http://www.imore.com/xara-exploits-mac-iphone-and-ipad-and-what-you-need-know

  • danco
    danco
    Volunteer Moderator

    It has just occurred to me that malware that steals data is no danger until it gets a chance to upload that data to the attacker. Would a program like Little Snitch reveal and prevent such an attempt, or could the malware hitchhike on some legitimate process?

  • [Deleted User]
    [Deleted User]
    Community Member

    I have questions for ISO operating system only.

    What is 1password mini? The mini part I mean.

    How can I turn off and/or not use the browser extension if I think it is not to much trouble?

    When you talk about extensions are we meaning anytime we use 1browser to login in or the new extension capability that allows me to open 1password thur safari or are they basically the same?

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited June 2015

    This may have already been answered, if so I apologize in advance. In the text above under 'What you can do'.
    It states that we are to keep the 1P Mini running because the exploit can take advantage at launch time. Does this mean I should not boot my machine since booting causes the mini launch?

    @Mel Stricker: No need to apologize! This is certainly a lot of information to wade through.

    That is a really good question! I'll admit that it hadn't crossed my mind to think of this this way, so I'm glad you brought it up.

    The important thing to take away from this statement (about keeping mini running) is that this will prevent the malware from impersonating mini at launch. Restarting isn't a concern, because once your Mac has been compromised you should not continue using it normally.

    So for example, if you for whatever reason open a strange app and quickly realize that it isn't what you'd expected, this should raise a red flag. At this point, if you've already got 1Password mini running, great! If mini is running, the malware cannot impersonate it; and if it cannot impersonate it, it cannot steal information from the browser extension even as you save logins with it. So no need to panic!

    However, at this point you do need to take steps to ensure that you get it cleaned out. After all, 1Password may not be compromised, but your system is. I suspect using some kind of 'cleaner' app to wipe out any traces of the malicious app from your system, but I cannot say for certain that will be sufficient so in this situation it would be best to consult Apple or an authorized reseller that does support. Ultimately it may be necessary to wipe the Mac and start over, but an expert will be best suited to make these kinds of determinations with it in from of them.

    Note: we always advise against using 'app cleaners' to delete 1Password, as this may delete your vault as well; but when it comes to anything malicious, we're happy to have a tool that obliterates all traces. ;)

  • AGAlumB
    AGAlumB
    1Password Alumni

    What is 1password mini? The mini part I mean.

    @kunder: Great questions! 1Password mini is the part of 1Password that handles communications with the browser extensions. You will be familiar with it from the 1Password 'keyhole' icon in the upper-right corner of the screen.

    How can I turn off and/or not use the browser extension if I think it is not to much trouble?

    You can easily uninstall the browser extensions. However, this is not recommended, because A if your Mac is compromised information can be collected in other ways (separate from 1Password), and B using the browser extension is still safer than copying and pasting or manually entering login credentials on a compromised system. The best thing to do is not install unknown apps, use the browser extensions, and keep mini running at all times to prevent malware from impersonating it.

    When you talk about extensions are we meaning anytime we use 1browser to login in or the new extension capability that allows me to open 1password thur safari or are they basically the same?

    I am sorry for the confusion! Due to the way this has been represented in the press, I think a lot of people are under the impression that the exploits target 1Password across different platforms, but this is not the case. This particular vulnerability does not affect iOS, only OS X. You can continue using 1Browser in 1Password for iOS or its iOS extension without worry. :)

    Macs, on the other hand, were not designed with this type of security in mind (OS X has its roots in NextStep, back in the 1990s). Apple has been adding security features to OS X in recent years (slowly, as to not break things all at once for Mac apps), but it was not designed with this in mind (as iOS was in the late 2000s). I hope this helps! :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    It has just occurred to me that malware that steals data is no danger until it gets a chance to upload that data to the attacker. Would a program like Little Snitch reveal and prevent such an attempt, or could the malware hitchhike on some legitimate process?

    @danco: That is a really great point as well. Significantly, the paper focuses exclusively on exploitation and data collection. It isn't clear that this was considered. After all, the researchers weren't actually trying to steal information for personal gain (which would require them to successfully transmit the collected data to themselves; they were merely trying to prove that vulnerabilities existed and could be successfully exploited.

    It may be that they have a plan for retrieving the data once it's been collected (after all, compromising the system is the harder part), but I don't think that was important to them from an academic perspective; that's more of a practical issue. But of course the practical is what matters most to us as users!

    I can only speculate to say that if the malware is able to impersonate 1Password mini, it could likely just as easily masquerade as such when transmitting data; so it may be that LittleSnitch would just see "1Password", pop up a warning, and the user would simply allow it.

    But ultimately the real danger is that malware is able to compromise the system and/or apps in the first place, as once the data is collected it is relatively trivial to exfiltrate it. These types of issues have become commonplace on the Windows platform in the past decade, and Microsoft has responded in kind. While it is disheartening that something like this has made its way to OS X, it was only a matter of time; and I feel confident that Apple will respond appropriately — although these types of issues can never truly be fixed "soon enough".

  • AGAlumB
    AGAlumB
    1Password Alumni

    Basically, you should assume that, even with Little Snitch or similar active, exfiltration is trivial. [...] But even without those, you can piggyback on the defaults, or use pretty much any of the browsers on your system to upload data somewhere.

    @sindarina: Well put. Nobody is going to block their own browser. :)

    Similarly, my thinking is that the hard part is done at that point, which I suspect is why the researchers didn't bother to address that question.

    Which brings us back to the main problem; if your system is compromised, it is no longer yours, so your main focus should always be on preventing that. Be very careful in what you install, especially if it claims to be free, or lets you download content you'd otherwise need to pay for.

    Words to live by!

    Okay, I give up. I could go on quoting your entire post, so instead I'll just say read this. :lol:

    I don't think this is off-topic at all, under the circumstances. Thanks for sharing that! :chuffed:

  • eltel
    eltel
    Community Member

    Other things to consider are (and sorry if these have been mentioned elsewhere) but are worth noting.

    1) The App Store preferences in System Preferences. Until now I had mine set Check Automatically and to download updates in the background and notify when ready to install. I've turned that off so at least nothing should get downloaded let alone installed until I have had the opportunity to check with the App developers site or any other source to see if there is a latest "genuine release"

    2) Ensure you have a separate admin user account and not have admin rights on your normal user account - this will ensure that any new install or update will require separate authentication and make you think - "did I ask for this?"

    3) Subscribe to the MAC-specific RSS feeds of sites like The Safe MAC, TIDBITS, and OSX daily, The Register (security) and of course Agilebits for latest developments where issues like this will be flagged and developments reported.

    One question for Agilebits - those of us reading this thread and blog have probably got here by virtue of reading about the problem online. I would imagine you have many customers who are blissfully ignorant of the problem - I know some who were. Are you going to email everyone and notify them?

  • rschmid
    rschmid
    Community Member

    Hello,

    when will this security leak in 1Password for Mac be fixed?
    Cannot find the option to configure that 1Password mini runs permanent. My favorit browser is safari.
    I am on risk now??

    Another point in the earlier versions of 1Password one could save 1Password data store in the iCloud. Now only dropbox works.
    Will I be able in future to choose my own cloud service like Microsoft OneDrive or Amazon Webservices or what ever?

    Kind regards,
    Roland


    1Password Version: 5.3.2
    Extension Version: 4.3.1
    OS Version: 10.10.3 (Yosemite)
    Sync Type: Dropbox

  • AGAlumB
    AGAlumB
    1Password Alumni

    @sindarina, @eltel: Indeed. Apps are signed by both Apple and the developer, so there's no way to impersonate an app on the App Store itself (other than name squatting). If one developer's app is downloaded from the App Store, future updates for that app will also be from that developer. In spite of the security issues we're all being confronted with this week, Apple has gotten a lot of things right. :)

  • danco
    danco
    Volunteer Moderator

    AgileBits have looked at using other methods of syncing, but it is harder than it appears at first sight. I am sure they will keep trying, but I don't expect it will be possible soon.

    Due to changes made by Apple, iCloud sync is only available in the version bought from the Mac App Store, and there is no way of AgileBits giving a discount to those who bought direct.

    The security problem is deep in the OS, it's not a 1PW issue. Of course AgileBits are trying to prevent
    the problem affecting 1PW, but so far have not been able to. See For more information look at https://discussions.agilebits.com/discussion/42900/osx-and-ios-1pw-keychain-vulnerability-report-on-the-register#latest and https://blog.agilebits.com/2015/06/17/1password-inter-process-communication-discussion/

    Part of the problem is that the researchers were able to get malware into the App Store without Apple's security checks noticing. I don't think anyone is currently at risk, but it would be a good idea not to download software even from the App Store unless you feel you can already trust the developer.

    The option about 1PW mini is the very first option in the General section of 1PW preferences.

  • hawkmoth
    hawkmoth
    Community Member

    @rschmid - I merged your post into the discussion about this issue in the Lounge section of the forum, along with @danco's reply. It's best to try to keep the discussions together.

  • rschmid
    rschmid
    Community Member

    @hawkmoth thank you

  • rschmid
    rschmid
    Community Member

    @danco is this the right Moment to install a endpoint protection? I never thought it would be necessary on a OSX computer

  • rschmid
    rschmid
    Community Member

    @sindarina Indeed best endpoint protection is common sense :)

    We all have a lot of user account and passwords, I do not want to write them all down in a piece of paper. I need a password manager like 1Password. I am sure 1Password is secure, but only as long as the based system OS is not compromised.
    Once a support member of agile bits told me that the data from 1Password which I synchronize with a cloud service leaves the application encrypted so there is no abuse of my passwords possible when data is stored in the cloud. Is this true?
    I like 1Password because they have developers not only in the US but also Canada and Europe. I my opinion that makes them a bit independent of the big NSA.
    Am I able to identify by digital fingerprint who is the maintainer of a software I am going to download? (e.g. 1Passwordmini extension)

    Kind regards,
    Roland

  • rschmid
    rschmid
    Community Member

    @danco Is the any comment from Apple about the fact that researches could get malware into AppStore without Apple's security checks noticing?

  • danco
    danco
    Volunteer Moderator

    Hi, @rschmid
    I am no expert on these things. Just a person with curiosity who reads a lot and remembers a lot.

    The thing is that one cannot test for malware one does not know about (except for simple variants of known malware), one cannot check what a program does in all circumstances to make sure that it only does what it claims to do. And this attack was completely new, it could not be looked for because it was not known that there was anything to look for.

    I hear that Apple has announced some new security measures on the App Store. I am not yet sure how well the present attack is covered.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited June 2015

    @danco is this the right Moment to install a endpoint protection? I never thought it would be necessary on a OS X computer

    @rschmid: Ultimately that is a decision only you can make. However, it may not help with this particular exploit.

    "With great power comes great responsibility." —Uncle Ben

    Antivirus software cannot protect you from two things generally: user error, and unknown new threats. While the vendors may be able to update to scan for this particular type of malware, this is a moving target as both white- and black-hat hackers will find creative ways to avoid detection. But most importantly, there is only so much any security can do to protect us from ourselves. In the end, you cannot be prevented from downloading and running apps on your own computer, malicious or otherwise. So we will always be the most exploitable hole in our own security.

    I apologize if this sounds dire, but the flipside is that if we stay informed and vigilant, we can simply avoid activities which put ourselves (and our systems) at risk. We have the power. :)

    Edit: I see that sindarina beat me to it (for some reason I wasn't seeing new posts even after refreshing).

  • elias
    elias
    Community Member
    edited June 2015

    Hello,

    I've read the topic with very interesting and my main question is, how to make the Master-Password more secure. 1Password should have the ability to create One Time Passwords, Two-Factor- Authentication or support Hardware Tokens like Yubikey or similar. Or the ability to insert a device (e.g. Smartphone) to get an additional code to approve you are the owner.

    For example: If in Lastpass the Two-Factor-Authentication enabled you got a printed document with an Ascii-table. If you insert your Master-Password, LP ask you randomly to input some of the characters created in this table. Ok, I know if the System compromised that does not help to prevent the Malware to get your Master-Password.

    Here is what I mean: https://helpdesk.lastpass.com/multifactor-authentication-options/grid-multifactor-authentication/

  • Stephen_C
    Stephen_C
    Community Member

    @elias you may find it interesting to take a look generally at the security knowledge base—and, specifically, at these articles in it:

    Authentication vs. Encryption

    Toward Better Master Passwords

    Stephen

  • elias
    elias
    Community Member

    Haha :) The Password Minder is my favourite

This discussion has been closed.